{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `../assistant-stream` has no version pin: Unpinned pip requirement means every fresh instal", "shortDescription": {"text": "[MINED124] requirements.txt: `../assistant-stream` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reprod"}, "fullDescription": {"text": "Replace `../assistant-stream` with `../assistant-stream==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `_create_chunk` (dict): `def _create_chunk(... = []/{}/set())` \u2014 Python's default", "shortDescription": {"text": "[MINED109] Mutable default argument in `_create_chunk` (dict): `def _create_chunk(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it f"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def _create_chunk(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /d"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC125", "name": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeh", "shortDescription": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim "}, "fullDescription": {"text": "Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `create_run` has cognitive complexity 24 (SonarSource scale). Cognitive co", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `create_run` has cognitive complexity 24 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion al"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 24."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "QUAL003", "name": "Magic number used as default arg", "shortDescription": {"text": "Magic number used as default arg"}, "fullDescription": {"text": "Using hardcoded default values for complex configuration objects makes the code brittle and difficult to manage. Consider using a dedicated factory or builder pattern.\n\nAuto-promoted from proposal 444 on 2026-05-12. Synth confidence: 0.85. FP estimate: 0.00."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "XSS001", "name": "Cross-site scripting \u2014 dangerouslySetInnerHTML", "shortDescription": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "fullDescription": {"text": "dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"scanner": "repobility", "category": "injection", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 6.7% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 6.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "QUAL005", "name": "Cluster of TODOs in one file", "shortDescription": {"text": "Cluster of TODOs in one file"}, "fullDescription": {"text": "Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "low", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED088", "name": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks.", "shortDescription": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. ", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 5 more): Same pattern found in 5 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 19 more): Same pattern found in 19 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 7 more): Same pattern found in 7 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 25 more): Same pattern found in 25 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 55 more): Same pattern found in 55 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 55 more): Same pattern found in 55 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 35 more): Same pattern found in 35 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 27 more): Same pattern found in 27 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 66 more): Same pattern found in 66 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 66 more): Same pattern found in 66 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 34 more): Same pattern found in 34 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. T", "shortDescription": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantl"}, "fullDescription": {"text": "Replace with: `uses: actions/cache@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler cha", "shortDescription": {"text": "[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "fullDescription": {"text": "Add an auth middleware: app.post('/mcp', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST /api/chat/completions has no auth: Handler `chat_completions` is registered with router/app.post", "shortDescription": {"text": "[MINED112] FastAPI POST /api/chat/completions has no auth: Handler `chat_completions` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_updates_event` of class `TestLangGraphIn", "shortDescription": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_updates_event` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This rais"}, "fullDescription": {"text": "Initialize `self.assertEqual = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_cancel: Test function `test_cancel` runs code but contains no assert / expect / s", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_cancel: Test function `test_cancel` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED034", "name": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.", "shortDescription": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /(home)/blog/llms.md/:slug."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.VERCEL_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, w", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.VERCEL_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VERCEL_TOKEN }` lets a PR from any fork exfiltrate the secret ("}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`", "shortDescription": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import queue` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SSTI001", "name": "SSTI \u2014 Jinja2 Template from user string", "shortDescription": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "fullDescription": {"text": "jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"scanner": "repobility", "category": "injection", "severity": "critical", "confidence": 0.85, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/203"}, "properties": {"repository": "assistant-ui/assistant-ui", "repoUrl": "https://github.com/assistant-ui/assistant-ui", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `../assistant-stream` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 50113, "scanner": "repobility-supply-chain", "fingerprint": "70aa5b95771675fe57f330643e18ffc81c177e89fb203b6cbb82231a02d76c6f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|70aa5b95771675fe57f330643e18ffc81c177e89fb203b6cbb82231a02d76c6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/state-test/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `_create_chunk` (dict): `def _create_chunk(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 50102, "scanner": "repobility-ast-engine", "fingerprint": "b98e183fe9e03bc8cbb09da2cd56846cb01a51254b74346e29d770f2f31452e4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b98e183fe9e03bc8cbb09da2cd56846cb01a51254b74346e29d770f2f31452e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/src/assistant_stream/serialization/openai_stream.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50074, "scanner": "repobility-ast-engine", "fingerprint": "d0358a101982194da4bded269013544a98b35eecb8ae98ea4f7c9204b5615fa9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d0358a101982194da4bded269013544a98b35eecb8ae98ea4f7c9204b5615fa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-ui-sync-server-api/examples/basic_example.py"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50073, "scanner": "repobility-ast-engine", "fingerprint": "d4efa23a76a96c0f226dc3fa497af1164fba1850786472fcf13eaf87855242a2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d4efa23a76a96c0f226dc3fa497af1164fba1850786472fcf13eaf87855242a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-ui-sync-server-api/examples/basic_example.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50072, "scanner": "repobility-ast-engine", "fingerprint": "7bbd848e39ccbd3c95d7ecc131d7e61a7ca3170f01393f4d4d32d9e7ea724361", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7bbd848e39ccbd3c95d7ecc131d7e61a7ca3170f01393f4d4d32d9e7ea724361"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-ui-sync-server-api/examples/basic_example.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50071, "scanner": "repobility-ast-engine", "fingerprint": "22687a3ddfb54c084f645737eb39069379c9baa0a12303a944fa2c4c0f292cc4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|22687a3ddfb54c084f645737eb39069379c9baa0a12303a944fa2c4c0f292cc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-ui-sync-server-api/examples/basic_example.py"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50070, "scanner": "repobility-ast-engine", "fingerprint": "00b779baad9aae96836c8968fcafa89befdc893175f790423c48dd5aad84bb37", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|00b779baad9aae96836c8968fcafa89befdc893175f790423c48dd5aad84bb37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-ui-sync-server-api/examples/basic_example.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50069, "scanner": "repobility-ast-engine", "fingerprint": "dc3821b4d8d85450ca81942a8e793291c8391cbc85435a0944d217531df0ee73", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dc3821b4d8d85450ca81942a8e793291c8391cbc85435a0944d217531df0ee73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend/main.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50068, "scanner": "repobility-ast-engine", "fingerprint": "f8a1f58c64daa83f29b61ccb0761d8bdfdc594b228ae590171443c63bcf32431", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f8a1f58c64daa83f29b61ccb0761d8bdfdc594b228ae590171443c63bcf32431"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend/setup.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50067, "scanner": "repobility-ast-engine", "fingerprint": "4c650665eeb4f1429c51fe4a6dfeb0fcdaf472424b62d747e8d5d9e8020bc8c3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4c650665eeb4f1429c51fe4a6dfeb0fcdaf472424b62d747e8d5d9e8020bc8c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend/setup.py"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 50062, "scanner": "repobility-ast-engine", "fingerprint": "9db568f449ea5d9fe74cbdbf61c18753fe318eb3f2db1a52de6e9274fa5819d5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9db568f449ea5d9fe74cbdbf61c18753fe318eb3f2db1a52de6e9274fa5819d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-ag-ui/server/agent.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /doc/chat/route."}, "properties": {"repobilityId": 50061, "scanner": "repobility-access-control", "fingerprint": "c5cf7e5d63b9af57c61b0cf87181df9ff506052b6a9949611a3451203d7a87c1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/doc/chat/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|296|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/api/doc/chat/route.ts"}, "region": {"startLine": 296}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /chat/route."}, "properties": {"repobilityId": 50060, "scanner": "repobility-access-control", "fingerprint": "9f94f090bc25a6032c5f5775cfae848dd4e9723c7c6d3289dca2ab4d66f7c25d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/chat/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|39|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/api/chat/route.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 50059, "scanner": "repobility-agent-runtime", "fingerprint": "8f4baffd5f7c7cbb49bb7afb4ff12edc0fddf970c456b8a070d8173b22eb72c3", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|8f4baffd5f7c7cbb49bb7afb4ff12edc0fddf970c456b8a070d8173b22eb72c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/hooks/use-persistent-boolean.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 50049, "scanner": "repobility-threat-engine", "fingerprint": "559eb0a78aba668362fbbb93c002b37bfefcf1c1c2e2849faa5cb4c1676af91e", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.run(command, shell=True", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|31|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend/setup.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 50041, "scanner": "repobility-threat-engine", "fingerprint": "d1586274bd1e371f941928aeaa3b86f4706cbfd174468e6cd68d383f4b1786cd", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url, \"_blank\", \"noopener,noreferrer\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|82|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react/src/mcp-apps/McpAppRenderer.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 50040, "scanner": "repobility-threat-engine", "fingerprint": "914ddfc2d2fc5000dccb48304b1ac4804685e5cf43e7c32985b9172102ff5bf0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "API_KEY='<redacted>", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|914ddfc2d2fc5000dccb48304b1ac4804685e5cf43e7c32985b9172102ff5bf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react/scripts/test-integration.sh"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 50038, "scanner": "repobility-threat-engine", "fingerprint": "b4211f99e9af57d24fa8a0f3511660ac76b3be15b309f78c85e90270e77d1806", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random()}`;\n      return `${encodeServerIdInState(serverId)}.${nonce", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b4211f99e9af57d24fa8a0f3511660ac76b3be15b309f78c85e90270e77d1806"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-mcp/src/auth/createOAuthProvider.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 50034, "scanner": "repobility-threat-engine", "fingerprint": "70e5f5948d6426d3f3ead9148a4eedf232c565dafad9e1fcf6a4bbf2cef90ebe", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|70e5f5948d6426d3f3ead9148a4eedf232c565dafad9e1fcf6a4bbf2cef90ebe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cloud-ai-sdk/src/core/CloudTelemetryReporter.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 50033, "scanner": "repobility-threat-engine", "fingerprint": "a8e4e1c4c6170fddbe4890e3260a6261a1a5102c93434ebf736e4bcf9c133168", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a8e4e1c4c6170fddbe4890e3260a6261a1a5102c93434ebf736e4bcf9c133168"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cloud-ai-sdk/src/core/CloudChatCore.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 50032, "scanner": "repobility-threat-engine", "fingerprint": "60d00a95da71f73facd0ed75b9afeb98c99506247107cee46b7dd296e7742f56", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|60d00a95da71f73facd0ed75b9afeb98c99506247107cee46b7dd296e7742f56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/assistant-stream/src/resumable/ResumableStreamContext.ts"}, "region": {"startLine": 184}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `create_run` has cognitive complexity 24 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, else=2, except=4, if=5, nested_bonus=11, while=1."}, "properties": {"repobilityId": 50027, "scanner": "repobility-threat-engine", "fingerprint": "aae205b79ff77ccf3d91fd7248e3015f0209ef75ad68ea0c1438a658c56e89d6", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 24 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "create_run", "breakdown": {"if": 5, "else": 2, "break": 1, "while": 1, "except": 4, "nested_bonus": 11}, "complexity": 24, "correlation_key": "fp|aae205b79ff77ccf3d91fd7248e3015f0209ef75ad68ea0c1438a658c56e89d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/src/assistant_stream/create_run.py"}, "region": {"startLine": 192}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `echo_agent` has cognitive complexity 21 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=2, elif=1, for=3, if=3, nested_bonus=12."}, "properties": {"repobilityId": 50025, "scanner": "repobility-threat-engine", "fingerprint": "08f22857659ebdf8f025036f2552ca157309bbca21c089c6d3c27ba74a835d90", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 21 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "echo_agent", "breakdown": {"if": 3, "for": 3, "elif": 1, "break": 2, "nested_bonus": 12}, "complexity": 21, "correlation_key": "fp|08f22857659ebdf8f025036f2552ca157309bbca21c089c6d3c27ba74a835d90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-ag-ui/server/agent.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 49998, "scanner": "repobility-threat-engine", "fingerprint": "b3bada42d56b18f1f0287039caf6b7e5ab00895814ef08fdb413c1497adc36a9", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|82|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-ffmpeg/app/page.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 49997, "scanner": "repobility-threat-engine", "fingerprint": "de422973af70adeb969088f58c7dcd567b31be5e213b2b11790b6b7baf0807b4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|23|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-chain-of-thought/app/page.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 49996, "scanner": "repobility-threat-engine", "fingerprint": "ba9a0e49af8945b354095e449e9bced67476a54bbfbda7a6154cf7cf83c0ebce", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|88|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/components/docs/preview-code.server.tsx"}, "region": {"startLine": 88}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21879, "scanner": "repobility", "fingerprint": "e46280a388c6141bd95bf927282c1b30", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 1500", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-app-studio/src/platforms/mcp/bridge.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21878, "scanner": "repobility", "fingerprint": "af1b367585d40413558b653bbc70b06c", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 1.2", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/tw-glass/scripts/filter-builder.mjs"}, "region": {"startLine": 122}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21877, "scanner": "repobility", "fingerprint": "d649c68862999644330dde749df2585b", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 1.4", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/tw-glass/scripts/filter-builder.mjs"}, "region": {"startLine": 121}}}]}, {"ruleId": "XSS001", "level": "warning", "message": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "properties": {"repobilityId": 13430, "scanner": "repobility", "fingerprint": "4e9960ce57484f70f8e7b637ed5be1f2", "category": "injection", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "dangerouslySetInnerHTML", "aljefra_cwe": ["CWE-79"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "react-dangerously-set-html"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui/src/components/ui/chart.tsx"}, "region": {"startLine": 95}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6223, "scanner": "repobility-journey-contract", "fingerprint": "7d3d9af53da53926c49e6951bc53bfb80bb9f9a05730147f581f76fc8879ca9d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/chat", "correlation_key": "fp|7d3d9af53da53926c49e6951bc53bfb80bb9f9a05730147f581f76fc8879ca9d", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/minimal/app/assistant.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6222, "scanner": "repobility-journey-contract", "fingerprint": "17fc447a3afd48bd2ae02e8a8edb64218a3f5709df4cd28f35727d71dc3175a8", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp-apps", "correlation_key": "fp|17fc447a3afd48bd2ae02e8a8edb64218a3f5709df4cd28f35727d71dc3175a8", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/mcp/app/assistant.tsx"}, "region": {"startLine": 43}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6221, "scanner": "repobility-journey-contract", "fingerprint": "3cd5877ec9dd84bafe6de8141c4d3aa11bb5ae8d695a6d246c20da500a4753e8", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/chat", "correlation_key": "fp|3cd5877ec9dd84bafe6de8141c4d3aa11bb5ae8d695a6d246c20da500a4753e8", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/mcp/app/assistant.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6220, "scanner": "repobility-journey-contract", "fingerprint": "9622f35057cda184232eff8542f8fad0206e504e2f36edfbbae94a80eacacb74", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/chat", "correlation_key": "fp|9622f35057cda184232eff8542f8fad0206e504e2f36edfbbae94a80eacacb74", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/default/app/assistant.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6219, "scanner": "repobility-journey-contract", "fingerprint": "c5c7d0e11adad587cdde87c0b7e2503a030720955486eb2d6bc148d4c240cad1", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/chat", "correlation_key": "fp|c5c7d0e11adad587cdde87c0b7e2503a030720955486eb2d6bc148d4c240cad1", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/cloud-clerk/app/assistant.tsx"}, "region": {"startLine": 51}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6218, "scanner": "repobility-journey-contract", "fingerprint": "82775d1ccb95b415192a544096b07a413183667c0b3dca59b9c3db067c7719f0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/chat", "correlation_key": "fp|82775d1ccb95b415192a544096b07a413183667c0b3dca59b9c3db067c7719f0", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/cloud/app/assistant.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6217, "scanner": "repobility-journey-contract", "fingerprint": "9217d2a4928b735ebaa83c9a9d76f6be06a782f49721b9629b4f7b12ad9208c4", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/adk", "correlation_key": "fp|9217d2a4928b735ebaa83c9a9d76f6be06a782f49721b9629b4f7b12ad9208c4", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-google-adk/src/AdkClient.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6216, "scanner": "repobility-journey-contract", "fingerprint": "a681820d64222af67aed8ea29e4f04aed852a0e2fbefa575bdaccffc001d4c8f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/adk", "correlation_key": "fp|a681820d64222af67aed8ea29e4f04aed852a0e2fbefa575bdaccffc001d4c8f", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-google-adk/src/AdkClient.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6215, "scanner": "repobility-journey-contract", "fingerprint": "2ced4400da89a3850a5f3a92085bbfe0ccc1f6be6fc67e59f7de6b1765318ee6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/chat", "correlation_key": "fp|2ced4400da89a3850a5f3a92085bbfe0ccc1f6be6fc67e59f7de6b1765318ee6", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/registry/app/ai-sdk/assistant.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6214, "scanner": "repobility-journey-contract", "fingerprint": "2c3712aadb60cfff71330128fab2501a48925558fa156f9fe6048f2b51794347", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/doc/chat", "correlation_key": "fp|2c3712aadb60cfff71330128fab2501a48925558fa156f9fe6048f2b51794347", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/contexts/AssistantRuntimeProvider.tsx"}, "region": {"startLine": 169}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6213, "scanner": "repobility-journey-contract", "fingerprint": "1a426e9f2c57e0b401c8ceb2bab18dee3948ff7933d34b3cd3a28b18c9112951", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/github/repo", "correlation_key": "fp|1a426e9f2c57e0b401c8ceb2bab18dee3948ff7933d34b3cd3a28b18c9112951", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/components/home/star-pill.tsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6212, "scanner": "repobility-journey-contract", "fingerprint": "a4709647f9aa366cfc8318c0e7ce247aabf021056d184d25cb0a0c82a8eaa1be", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/playground-chat", "correlation_key": "fp|a4709647f9aa366cfc8318c0e7ce247aabf021056d184d25cb0a0c82a8eaa1be", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/components/builder/builder-chat-sidebar.tsx"}, "region": {"startLine": 116}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6211, "scanner": "repobility-journey-contract", "fingerprint": "75f3fc1b07384f84f163aef9fadb085bfe274d5884df1cadb9c9fe52dadd672c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/og", "correlation_key": "fp|75f3fc1b07384f84f163aef9fadb085bfe274d5884df1cadb9c9fe52dadd672c", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/robots.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6210, "scanner": "repobility-journey-contract", "fingerprint": "334ea76e3719d44753b67d1b37142030b4b4659ef1c2244e9f30c0eca5a530d9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/og", "correlation_key": "fp|334ea76e3719d44753b67d1b37142030b4b4659ef1c2244e9f30c0eca5a530d9", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/layout.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6209, "scanner": "repobility-journey-contract", "fingerprint": "6956d3f4a0e3f06c785fd8bfcd124c019a0853d2a6ec73c88c3df67c2de98fb2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/og", "correlation_key": "fp|6956d3f4a0e3f06c785fd8bfcd124c019a0853d2a6ec73c88c3df67c2de98fb2", "backend_endpoint_count": 15}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/layout.tsx"}, "region": {"startLine": 45}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /chat/route."}, "properties": {"repobilityId": 6208, "scanner": "repobility-access-control", "fingerprint": "d32a9bf5ac876a25cf8782179513d85d6d11219d934306694156e051d8502376", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/chat/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|10|auc009", "duplicate_count": 2, "identity_targets": ["unknown"], "duplicate_rule_ids": ["AUC009"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["be84214456e44a5de5f747640434235977da8de7d01ac9c27514099f5cf65667", "d32a9bf5ac876a25cf8782179513d85d6d11219d934306694156e051d8502376", "f98f0bbdf6fcfd528de039c301baca46aa549edfe3cbfe7e4942b29e49081aae"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/registry/app/api/chat/route.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(home)/llms.mdx/::...slug."}, "properties": {"repobilityId": 6207, "scanner": "repobility-access-control", "fingerprint": "15123f3c5ea627c2e6c1e58be78dabb72fc13484fad48876dcef351dbad8f68b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/(home)/llms.mdx/::...slug", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|apps/docs/app/ home /llms.mdx/ ...slug /route.ts|8|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/(home)/llms.mdx/[[...slug]]/route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(home)/blog/llms.md/:slug."}, "properties": {"repobilityId": 6206, "scanner": "repobility-access-control", "fingerprint": "0ee592e9f62391b08779d89c1029617f36deffcb43f2d3c81bd86af7d86cfe08", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/(home)/blog/llms.md/:slug", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|apps/docs/app/ home /blog/llms.md/ slug /route.ts|13|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/(home)/blog/llms.md/[slug]/route.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(home)/llms-full.txt."}, "properties": {"repobilityId": 6205, "scanner": "repobility-access-control", "fingerprint": "8cbdbbf541f6b7578f1080f802fd33c194ffd09ce90973e8e7c814f013b22f5c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/(home)/llms-full.txt", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|apps/docs/app/ home /llms-full.txt/route.ts|7|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/(home)/llms-full.txt/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(home)/llms.txt."}, "properties": {"repobilityId": 6204, "scanner": "repobility-access-control", "fingerprint": "a3cba5cb5ff4cba3f132ef4e169339f036f9690c9500ba12e2a26c8859d9ae73", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/(home)/llms.txt", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|apps/docs/app/ home /llms.txt/route.ts|6|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/(home)/llms.txt/route.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /doc/chat/route."}, "properties": {"repobilityId": 6203, "scanner": "repobility-access-control", "fingerprint": "7a101de37ae6fe775bc1f2212542bf767268d291426c6d15e54a93e64e552caa", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/doc/chat/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|268|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/api/doc/chat/route.ts"}, "region": {"startLine": 268}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /chat/route."}, "properties": {"repobilityId": 6202, "scanner": "repobility-access-control", "fingerprint": "f0b22941bcb5180b4bdda9bd5cf55bce213b7a9f494ac5fa0a5108ea9593ca8e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/chat/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|38|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/api/chat/route.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /playground-chat/route."}, "properties": {"repobilityId": 6201, "scanner": "repobility-access-control", "fingerprint": "cd8458647b9f46f72daa3d4df7cf09a246b48b5ad27245f8178dd47c44ede619", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/playground-chat/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|137|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/api/playground-chat/route.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 6.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 6199, "scanner": "repobility-access-control", "fingerprint": "525df9dedee18c57e42166e57d7b502ddb2028ae340df59a319b9837f9d6f43e", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 15, "correlation_key": "fp|525df9dedee18c57e42166e57d7b502ddb2028ae340df59a319b9837f9d6f43e", "auth_visible_percent": 6.7}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 6198, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 6191, "scanner": "repobility-agent-runtime", "fingerprint": "60952a27365b8e99a57e4e3cd1c98d3792d9f7cdce8fd39053254f9d07dfa73e", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|60952a27365b8e99a57e4e3cd1c98d3792d9f7cdce8fd39053254f9d07dfa73e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/hooks/use-persistent-boolean.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 6190, "scanner": "repobility-agent-runtime", "fingerprint": "e0bcb4f6c1f6c3a0fd291816b337aaf2472de0c317039f8e1354a86adbab3f0a", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|e0bcb4f6c1f6c3a0fd291816b337aaf2472de0c317039f8e1354a86adbab3f0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/components/docs/platform/context.tsx"}, "region": {"startLine": 195}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6189, "scanner": "repobility-ai-code-hygiene", "fingerprint": "33c8da3072deca34723650d17c5bb174784fc910a2fb1088f48e2847887fc4df", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/runtimes/external-store/external-store-thread-runtime-core.ts", "duplicate_line": 53, "correlation_key": "fp|33c8da3072deca34723650d17c5bb174784fc910a2fb1088f48e2847887fc4df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/runtimes/remote-thread-list/empty-thread-core.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6188, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8e28ec5b8989c08429cb1184cbc61826b7fd204bb10ac20a8684242f248c8522", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/runtimes/external-store/external-store-thread-runtime-core.ts", "duplicate_line": 53, "correlation_key": "fp|8e28ec5b8989c08429cb1184cbc61826b7fd204bb10ac20a8684242f248c8522"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/runtimes/readonly/ReadonlyThreadRuntimeCore.ts"}, "region": {"startLine": 142}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50058, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca35bc60646caa881efc8452dfcfd58fb4ced9d176a7f929a91ed3455f0426ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-a2a/src/useA2ARuntime.ts", "duplicate_line": 139, "correlation_key": "fp|ca35bc60646caa881efc8452dfcfd58fb4ced9d176a7f929a91ed3455f0426ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-ag-ui/src/useAgUiRuntime.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50057, "scanner": "repobility-ai-code-hygiene", "fingerprint": "38f0a22f7fbc3e72ef887af8d9ea6b171b1df5ee0613544f78a47f97c4ecada2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/react-a2a/src/A2AThreadRuntimeCore.ts", "duplicate_line": 129, "correlation_key": "fp|38f0a22f7fbc3e72ef887af8d9ea6b171b1df5ee0613544f78a47f97c4ecada2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-ag-ui/src/runtime/AgUiThreadRuntimeCore.ts"}, "region": {"startLine": 121}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50056, "scanner": "repobility-ai-code-hygiene", "fingerprint": "41c3df68a7c25a70df65558e6079b3e075d3031850a49b852bcd05a1a5eed130", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/index.ts", "duplicate_line": 5, "correlation_key": "fp|41c3df68a7c25a70df65558e6079b3e075d3031850a49b852bcd05a1a5eed130"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/types/index.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50055, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d28890e32455fd73909f30090688b0049bc64c1b483d44fc8f2b7393320563d7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/store/clients/thread-message-client.ts", "duplicate_line": 121, "correlation_key": "fp|d28890e32455fd73909f30090688b0049bc64c1b483d44fc8f2b7393320563d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/store/runtime-clients/message-runtime-client.ts"}, "region": {"startLine": 110}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50054, "scanner": "repobility-ai-code-hygiene", "fingerprint": "908f736f4a76daf4e230b86936be0a763a8a50cd7bad9e0d7c009b85e629e14d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/react/providers/TextMessagePartProvider.tsx", "duplicate_line": 21, "correlation_key": "fp|908f736f4a76daf4e230b86936be0a763a8a50cd7bad9e0d7c009b85e629e14d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/store/clients/thread-message-client.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50053, "scanner": "repobility-ai-code-hygiene", "fingerprint": "07eab3b38fdb3b4294ecd4c10102ca2e98b8a0b72b59557354b0add4960c74e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/runtimes/external-store/external-store-thread-runtime-core.ts", "duplicate_line": 54, "correlation_key": "fp|07eab3b38fdb3b4294ecd4c10102ca2e98b8a0b72b59557354b0add4960c74e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/runtimes/remote-thread-list/empty-thread-core.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50052, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7656ffb394feebc221d6fa5c1f8139966c6b49ff541b8d5e35d3bb7b14ca293b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/runtimes/external-store/external-store-thread-runtime-core.ts", "duplicate_line": 54, "correlation_key": "fp|7656ffb394feebc221d6fa5c1f8139966c6b49ff541b8d5e35d3bb7b14ca293b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/runtimes/readonly/ReadonlyThreadRuntimeCore.ts"}, "region": {"startLine": 145}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `openai_agent` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=2, if=4, nested_bonus=3."}, "properties": {"repobilityId": 50026, "scanner": "repobility-threat-engine", "fingerprint": "de0e96bba71806b914f770262aa8e9c472258515050138f9834f14b6f562b411", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "openai_agent", "breakdown": {"if": 4, "for": 2, "except": 1, "nested_bonus": 3}, "complexity": 10, "correlation_key": "fp|de0e96bba71806b914f770262aa8e9c472258515050138f9834f14b6f562b411"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-ag-ui/server/agent.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 49991, "scanner": "repobility-threat-engine", "fingerprint": "d0dd51be9cff1a01df4d430c4eb7e29baa74de14db1f95cb9e4f7cbd15e793b0", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = r", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|72|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui/src/components/assistant-ui/mermaid-diagram.tsx"}, "region": {"startLine": 72}}}]}, {"ruleId": "QUAL005", "level": "note", "message": {"text": "Cluster of TODOs in one file"}, "properties": {"repobilityId": 22170, "scanner": "repobility", "fingerprint": "f308de5a42b86aa5c9f1e9bb94364bc1", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "TODO this should never be hit; this happens if args-text-finish", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "todo-bomb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/assistant-stream/src/core/accumulators/assistant-message-accumulator.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 6197, "scanner": "repobility-threat-engine", "fingerprint": "049aa3af2ac9ebbb19de486d4cc96778f3ec72357fe12ae4f3471e3ecec06512", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML +=", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|24|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/safe-content-frame/page.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 6196, "scanner": "repobility-threat-engine", "fingerprint": "6b1b8d339825d1f9a824a8f3aa6e22b57e0c5efc2a47a05aa9e2e700a14624c2", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = r", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|27|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/components/docs/samples/mermaid.tsx"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6187, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9f29d53680d2837604d186974b56c33338000199e24372f85a3719f85a5b0985", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/cloud-ai-sdk/src/core/extractRunTelemetry.ts", "duplicate_line": 4, "correlation_key": "fp|9f29d53680d2837604d186974b56c33338000199e24372f85a3719f85a5b0985"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/react/runtimes/cloud/AssistantCloudThreadHistoryAdapter.ts"}, "region": {"startLine": 170}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6186, "scanner": "repobility-ai-code-hygiene", "fingerprint": "61cc94b056d90e7a4e3e803ac1193afe65a3b9a366ba71a9755207518114bebc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/react/primitives/composer/ComposerAttachments.tsx", "duplicate_line": 31, "correlation_key": "fp|61cc94b056d90e7a4e3e803ac1193afe65a3b9a366ba71a9755207518114bebc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/react/primitives/message/MessageAttachments.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6185, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83cf308c525a682550d2f6638052a33a48c43cf1010d95a7525e7c9b70fa297f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/cli/src/codemods/v0-8/ui-package-split.ts", "duplicate_line": 48, "correlation_key": "fp|83cf308c525a682550d2f6638052a33a48c43cf1010d95a7525e7c9b70fa297f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/codemods/v0-9/edge-package-split.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6184, "scanner": "repobility-ai-code-hygiene", "fingerprint": "364add5b6b8758ff1ddf2e8b67821a868049dd061d4c4cb6afd0352ed746a977", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/assistant-stream/src/resumable/stores/ioredis.ts", "duplicate_line": 28, "correlation_key": "fp|364add5b6b8758ff1ddf2e8b67821a868049dd061d4c4cb6afd0352ed746a977"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/assistant-stream/src/resumable/stores/redis.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6183, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f257f7b6ee9c64226b0aada64a91aba0124e2b44ece5773ad2e0c0be55eb1bb5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/assistant-stream/src/core/serialization/assistant-transport/AssistantTransport.ts", "duplicate_line": 29, "correlation_key": "fp|f257f7b6ee9c64226b0aada64a91aba0124e2b44ece5773ad2e0c0be55eb1bb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/assistant-stream/src/core/utils/stream/SSE.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6182, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f257420e432662fb83c84b7e6ada585ba7c5ff32ce7ff4bf231a5f69e15f6115", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/assistant-stream/src/core/serialization/assistant-transport/AssistantTransport.ts", "duplicate_line": 31, "correlation_key": "fp|f257420e432662fb83c84b7e6ada585ba7c5ff32ce7ff4bf231a5f69e15f6115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/assistant-stream/src/core/serialization/ui-message-stream/UIMessageStream.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6181, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a456629204706902bb0dd5b65b2c0000a3df962396c197149ce85e1d25033e36", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/social-media/src/launches/react-ink.tsx", "duplicate_line": 194, "correlation_key": "fp|a456629204706902bb0dd5b65b2c0000a3df962396c197149ce85e1d25033e36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/social-media/src/launches/react-native.tsx"}, "region": {"startLine": 241}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6180, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a917e1fed4b3ee72f04dc6b6c87f64ee56fa8ee64352bc6961988c70a6f312a6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/social-media/src/launches/cloud-ai-sdk.tsx", "duplicate_line": 101, "correlation_key": "fp|a917e1fed4b3ee72f04dc6b6c87f64ee56fa8ee64352bc6961988c70a6f312a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/social-media/src/launches/react-native.tsx"}, "region": {"startLine": 238}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6179, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5860c133f51e80a012da7b58074fa6bfcc62c723fcc49e66e2f691626313dc51", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/social-media/src/launches/cloud-ai-sdk.tsx", "duplicate_line": 101, "correlation_key": "fp|5860c133f51e80a012da7b58074fa6bfcc62c723fcc49e66e2f691626313dc51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/social-media/src/launches/react-ink.tsx"}, "region": {"startLine": 191}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6178, "scanner": "repobility-ai-code-hygiene", "fingerprint": "afe99d9f7fe02a8f81cf957942a52a086a949c78b1ec6481238ecc5b08ccb6b4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/social-media/src/launches/cloud-ai-sdk.tsx", "duplicate_line": 101, "correlation_key": "fp|afe99d9f7fe02a8f81cf957942a52a086a949c78b1ec6481238ecc5b08ccb6b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/social-media/src/launches/cloud-dashboard.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 50051, "scanner": "repobility-threat-engine", "fingerprint": "af46dd64a315c1da1764d9b1dda925f70cae1ff3b2ab2d882d7dad27f964258d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af46dd64a315c1da1764d9b1dda925f70cae1ff3b2ab2d882d7dad27f964258d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend/setup.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 50048, "scanner": "repobility-threat-engine", "fingerprint": "86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "aggregated_count": 1}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 50047, "scanner": "repobility-threat-engine", "fingerprint": "46df7aa01cf3aefc475a373670e25beaecfae2a46f2718b3316dedca76f794a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|46df7aa01cf3aefc475a373670e25beaecfae2a46f2718b3316dedca76f794a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/src/assistant_stream/serialization/openai_stream.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 50046, "scanner": "repobility-threat-engine", "fingerprint": "9074e703574fe4671d9385ee4aad07c5c8e985f2a9eb6abbf7f99533a175a912", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9074e703574fe4671d9385ee4aad07c5c8e985f2a9eb6abbf7f99533a175a912"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/src/assistant_stream/serialization/data_stream.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 50045, "scanner": "repobility-threat-engine", "fingerprint": "9546ab74f9dcc6ba55c52d4451cd6a0ddd7a527046df3c51bd32134810995541", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9546ab74f9dcc6ba55c52d4451cd6a0ddd7a527046df3c51bd32134810995541"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/src/assistant_stream/create_run.py"}, "region": {"startLine": 248}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 50044, "scanner": "repobility-threat-engine", "fingerprint": "7a0db4962620e194f5ea4957ae24516a7c7eee3b14a1f84b93f316f281f883b7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a0db4962620e194f5ea4957ae24516a7c7eee3b14a1f84b93f316f281f883b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend/main.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 50043, "scanner": "repobility-threat-engine", "fingerprint": "a7bf20f6d5a81ad01e27409fba039eada1d894a8b13a8e757db8192291ca877b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a7bf20f6d5a81ad01e27409fba039eada1d894a8b13a8e757db8192291ca877b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend-langgraph/main.py"}, "region": {"startLine": 291}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 50042, "scanner": "repobility-threat-engine", "fingerprint": "7327ea10c4c7050af9d4d70f0724fe9f6c8a1ae0e2ccb484d58d83d5c803216f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7327ea10c4c7050af9d4d70f0724fe9f6c8a1ae0e2ccb484d58d83d5c803216f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream-hello-world/api/chat/completions/index.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC002", "level": "none", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 50039, "scanner": "repobility-threat-engine", "fingerprint": "c443f3cf0dec1d1aa740140a1af205d69479d7be38371f6b6fc94eec7a4baf0c", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential", "evidence": {"match": "API_KEY='<redacted>'", "reason": "Value looks like a development placeholder, not a live credential", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|1|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react/scripts/test-integration.sh"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 50037, "scanner": "repobility-threat-engine", "fingerprint": "edccec1f48afa2498d847220ca467f3d6f089cedba3ac7c3ad873137d0390e47", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|edccec1f48afa2498d847220ca467f3d6f089cedba3ac7c3ad873137d0390e47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/react/runtimes/RemoteThreadListHookInstanceManager.tsx"}, "region": {"startLine": 174}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 50035, "scanner": "repobility-threat-engine", "fingerprint": "2949c2702d7166dac258164d4c52ef70add92ecb6c82892fbc20aaf8046756af", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2949c2702d7166dac258164d4c52ef70add92ecb6c82892fbc20aaf8046756af"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 50028, "scanner": "repobility-threat-engine", "fingerprint": "ae057f38a82b4ab40df0f4aaddc1a0bad56cc3e35c9a31fbdc7db8da14fe6f6c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "echo_agent", "breakdown": {"if": 3, "for": 3, "elif": 1, "break": 2, "nested_bonus": 12}, "aggregated": true, "complexity": 21, "correlation_key": "fp|ae057f38a82b4ab40df0f4aaddc1a0bad56cc3e35c9a31fbdc7db8da14fe6f6c", "aggregated_count": 7}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 50024, "scanner": "repobility-threat-engine", "fingerprint": "f0990407eb5f498803037da8b1274f35b38893ebccb07e39ac45b2d2e1590814", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f0990407eb5f498803037da8b1274f35b38893ebccb07e39ac45b2d2e1590814"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-ag-ui/server/agent.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 50023, "scanner": "repobility-threat-engine", "fingerprint": "68699b266c0ef2dd9e3683c76aac5e8ccbed361a3124bef050de34402f222622", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|68699b266c0ef2dd9e3683c76aac5e8ccbed361a3124bef050de34402f222622"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend/setup.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 50022, "scanner": "repobility-threat-engine", "fingerprint": "1fcc9380b267167caf2342edb5f2d8ae19b18c99b7d696682b1ab50e0acc1d98", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1fcc9380b267167caf2342edb5f2d8ae19b18c99b7d696682b1ab50e0acc1d98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react-ink/benchmarks/long-thread.bench.tsx"}, "region": {"startLine": 278}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 50021, "scanner": "repobility-threat-engine", "fingerprint": "7d088a4e2036939d5a635c5ada8a2a7c7d7c9b05b36e2e7aef095d82fab80c2e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7d088a4e2036939d5a635c5ada8a2a7c7d7c9b05b36e2e7aef095d82fab80c2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-ag-ui/server/agent.py"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 50020, "scanner": "repobility-threat-engine", "fingerprint": "6fa2e9ef1c1856e1ba7ae153052023beba4be6def90f2e547c9aea7606eafe65", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6fa2e9ef1c1856e1ba7ae153052023beba4be6def90f2e547c9aea7606eafe65"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 50016, "scanner": "repobility-threat-engine", "fingerprint": "074ce61b6ec3e9c2230ba67245ed6eedac8a52365d8468ddef170c6b814d2302", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(\"   - OPENAI_API_KEY (for OpenAI GPT models)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|9|print - openai_api_key for openai gpt models"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend/setup.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 50015, "scanner": "repobility-threat-engine", "fingerprint": "07635ef0a0576236cd469e9bd34a69cd2cb7127f5071ca285eb824578c005957", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "print(f\"OpenAI API Key: {'configured' if os.getenv('OPENAI_API_KEY')", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|16|print f openai api key: configured if os.getenv openai_api_key"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-ag-ui/server/agent.py"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 50014, "scanner": "repobility-threat-engine", "fingerprint": "7b598fdaf383cfc36bb47487a6288f6c05331e134be3d9cad8f33bfe7c779478", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7b598fdaf383cfc36bb47487a6288f6c05331e134be3d9cad8f33bfe7c779478"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 50013, "scanner": "repobility-threat-engine", "fingerprint": "542a104e374438902be4a731a27ca881b59fb712b385afc7ba8b9acfa4cc0029", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|31|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-resumable-stream/app/api/chat/route.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 50012, "scanner": "repobility-threat-engine", "fingerprint": "eeec2a6c9b92d7d7f8c8060d13d648ded06c70fcf6cce6edc9126388648818c3", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|155|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-chain-of-thought/app/api/chat/route.ts"}, "region": {"startLine": 155}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 50011, "scanner": "repobility-threat-engine", "fingerprint": "0d6d039f9d2661b848213854f305d93d3467d5a7f6b13b3804fd7dafec29f1c1", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|29|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-ag-ui/app/MyRuntimeProvider.tsx"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 50010, "scanner": "repobility-threat-engine", "fingerprint": "0a79f77301c76b2b2dfcfe558436a3b4a6362b85e9cc52cda1d60492c32b7a06", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0a79f77301c76b2b2dfcfe558436a3b4a6362b85e9cc52cda1d60492c32b7a06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/scripts/generate-primitive-docs.mts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 50009, "scanner": "repobility-threat-engine", "fingerprint": "78d9253faaab611a7ae30c45f0984ee7c75695247148c99c602d3a8e091a2b13", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78d9253faaab611a7ae30c45f0984ee7c75695247148c99c602d3a8e091a2b13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/scripts/api-reference/type-docs.mts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 50008, "scanner": "repobility-threat-engine", "fingerprint": "e14fa1629a87af2b8c0c250122b1b4125941703edd0edd7f00f3f46696c3eea9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e14fa1629a87af2b8c0c250122b1b4125941703edd0edd7f00f3f46696c3eea9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/scripts/api-reference/discover.mts"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 50007, "scanner": "repobility-threat-engine", "fingerprint": "fefe65e9f1a066ed2a6e589829c146cc09bc2bb2a9bcd24e1cb63d0d9b69651e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fefe65e9f1a066ed2a6e589829c146cc09bc2bb2a9bcd24e1cb63d0d9b69651e", "aggregated_count": 19}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 50006, "scanner": "repobility-threat-engine", "fingerprint": "637e17cfc70f43f57f22d5deeb297b54b2c9c8c7f5938070f754c5e8e7d2d4cf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|637e17cfc70f43f57f22d5deeb297b54b2c9c8c7f5938070f754c5e8e7d2d4cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-expo/components/assistant-ui/message.tsx"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 50005, "scanner": "repobility-threat-engine", "fingerprint": "73b5f2c26d72b2d0d1497638bbb1eb95de958160ec85f513cebdf5deb08e719d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|73b5f2c26d72b2d0d1497638bbb1eb95de958160ec85f513cebdf5deb08e719d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-expo/components/assistant-ui/composer.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 50004, "scanner": "repobility-threat-engine", "fingerprint": "7685c8e0d814c72fb184fa6c76185445973ac87466054f1451ea391ba7477276", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7685c8e0d814c72fb184fa6c76185445973ac87466054f1451ea391ba7477276"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/components/home/glowing-effect.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 50003, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 49999, "scanner": "repobility-threat-engine", "fingerprint": "f50747163d70dab1fa2519c9a96d374fa64771763e354f97facd6a46500faf29", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f50747163d70dab1fa2519c9a96d374fa64771763e354f97facd6a46500faf29"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 49995, "scanner": "repobility-threat-engine", "fingerprint": "e6b12850e54eb1ffa424becfb0f6a8e7a5c6d257d13b26934f0112681066c89f", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e6b12850e54eb1ffa424becfb0f6a8e7a5c6d257d13b26934f0112681066c89f"}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 49990, "scanner": "repobility-threat-engine", "fingerprint": "f72595851c68ac7bd4568c20a503a38dea50ecdb0e314c658472f89a3de8b548", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f72595851c68ac7bd4568c20a503a38dea50ecdb0e314c658472f89a3de8b548"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui/src/components/ui/chart.tsx"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 49989, "scanner": "repobility-threat-engine", "fingerprint": "935c802026cccbf7d950942af1b5a6a3165338f1120cf46218faadf0e3edba1b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|935c802026cccbf7d950942af1b5a6a3165338f1120cf46218faadf0e3edba1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/layout.tsx"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "properties": {"repobilityId": 49988, "scanner": "repobility-threat-engine", "fingerprint": "a1abc0f73fcbbde4bfde07d3a1caa75668c0f255cd2533e6367562d2e96a50c7", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a1abc0f73fcbbde4bfde07d3a1caa75668c0f255cd2533e6367562d2e96a50c7"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 55 more): Same pattern found in 55 additional files. Review if needed."}, "properties": {"repobilityId": 49984, "scanner": "repobility-threat-engine", "fingerprint": "d6efcee56993c735fa4e36991b25c9e2624210af7c791aae45978bb8fabf2ad2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 55 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d6efcee56993c735fa4e36991b25c9e2624210af7c791aae45978bb8fabf2ad2", "aggregated_count": 55}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 49983, "scanner": "repobility-threat-engine", "fingerprint": "9f7cc4323a8c9477d691cd2777fc2decb493a4009c78a6af3a32e78f8c124a18", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f7cc4323a8c9477d691cd2777fc2decb493a4009c78a6af3a32e78f8c124a18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/ink/terminal-demo.tsx"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 49982, "scanner": "repobility-threat-engine", "fingerprint": "ea63e70fa357d37c2477e665cd10ded34f254e9cd84111f7c025f1538c15998f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea63e70fa357d37c2477e665cd10ded34f254e9cd84111f7c025f1538c15998f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/api/og/route.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 49981, "scanner": "repobility-threat-engine", "fingerprint": "44b4dfd7ddc4a126b6ee54514a5c191b1e72563fa2e6a30f3278c24f87a9650f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|44b4dfd7ddc4a126b6ee54514a5c191b1e72563fa2e6a30f3278c24f87a9650f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/(home)/changelog/changelog-list.tsx"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "properties": {"repobilityId": 49980, "scanner": "repobility-threat-engine", "fingerprint": "3f7413cb135ae04a7586574135aad69750d08d39a34c6d120b6af9903ec3a42f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3f7413cb135ae04a7586574135aad69750d08d39a34c6d120b6af9903ec3a42f", "aggregated_count": 35}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 49979, "scanner": "repobility-threat-engine", "fingerprint": "bdcdd00958400e5132908f2898807daac1b7c772905ddfb33ece9316a2a9f487", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bdcdd00958400e5132908f2898807daac1b7c772905ddfb33ece9316a2a9f487"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/ink/terminal-demo.tsx"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 49978, "scanner": "repobility-threat-engine", "fingerprint": "223d3735026b0713ac336fc80c21d6e8135ee35c60d5f6c36ae4b518518293a7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|223d3735026b0713ac336fc80c21d6e8135ee35c60d5f6c36ae4b518518293a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/(home)/changelog/changelog-list.tsx"}, "region": {"startLine": 244}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 49977, "scanner": "repobility-threat-engine", "fingerprint": "b82098164bc78a332c9d2b16beb23fb85eded0e41e1b13d51e904efb3545fd91", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b82098164bc78a332c9d2b16beb23fb85eded0e41e1b13d51e904efb3545fd91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/devtools-frame/components/thread/ThreadDetails.tsx"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 49976, "scanner": "repobility-threat-engine", "fingerprint": "94f74923c8c7d4a15bd0052ef38b34f810eb178024375a04743e43f6095f5fa9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|94f74923c8c7d4a15bd0052ef38b34f810eb178024375a04743e43f6095f5fa9", "aggregated_count": 27}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 49975, "scanner": "repobility-threat-engine", "fingerprint": "33e1ffb20c85519b0e79099c38ebd67f18f07edd5a87bbe3b7354d6b1c70d757", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|33e1ffb20c85519b0e79099c38ebd67f18f07edd5a87bbe3b7354d6b1c70d757"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-expo/components/assistant-ui/message.tsx"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 49974, "scanner": "repobility-threat-engine", "fingerprint": "efb2af892bc1020fc370edf2dc7067b85d1c742c30d7006d5df1abe5015ee836", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|efb2af892bc1020fc370edf2dc7067b85d1c742c30d7006d5df1abe5015ee836"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-expo/components/assistant-ui/composer.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 49973, "scanner": "repobility-threat-engine", "fingerprint": "ce815d5489360edac99ad48fb6a03ffe7e996c67bb68428a7ffe755e4f18579b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ce815d5489360edac99ad48fb6a03ffe7e996c67bb68428a7ffe755e4f18579b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/devtools-extension/devtools-panel.tsx"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 66 more): Same pattern found in 66 additional files. Review if needed."}, "properties": {"repobilityId": 49972, "scanner": "repobility-threat-engine", "fingerprint": "50743162ae68ec504cadc8e301d04020227776683b1a5df9f482e4eafc0d70de", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 66 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|50743162ae68ec504cadc8e301d04020227776683b1a5df9f482e4eafc0d70de", "aggregated_count": 66}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 49971, "scanner": "repobility-threat-engine", "fingerprint": "8c1571b6ddf8cfd31374b92b7ceff224f845e784359873171704aca23838d254", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c1571b6ddf8cfd31374b92b7ceff224f845e784359873171704aca23838d254"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/devtools-extension/devtools-panel.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 49970, "scanner": "repobility-threat-engine", "fingerprint": "cfffc00267367cf96620a1df4e191f3ad98180369bc89766ce6bbeeb28d773d6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cfffc00267367cf96620a1df4e191f3ad98180369bc89766ce6bbeeb28d773d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/devtools-extension/content.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 49969, "scanner": "repobility-threat-engine", "fingerprint": "96ae8e6a20962d256e7a90a402230a95268cbf713ee3f31d2ddd21668479fb88", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96ae8e6a20962d256e7a90a402230a95268cbf713ee3f31d2ddd21668479fb88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/devtools-extension/background.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "properties": {"repobilityId": 49968, "scanner": "repobility-threat-engine", "fingerprint": "b7270a60e427ef80f66e518ce8f7d3b7a214324c6b92e160fd988cfa6c32d331", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 34 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 34 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b7270a60e427ef80f66e518ce8f7d3b7a214324c6b92e160fd988cfa6c32d331"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 6195, "scanner": "repobility-threat-engine", "fingerprint": "9375baefc0ced02fd3d7e2992e6c7895a26c4bebc8685b2aa8bfeb0351b3d42e", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9375baefc0ced02fd3d7e2992e6c7895a26c4bebc8685b2aa8bfeb0351b3d42e"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 6194, "scanner": "repobility-threat-engine", "fingerprint": "b1bf5ab018801388ef57ff92cf690df06298777b13f0c020fc6e26c7c71b129b", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|43|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/components/docs/samples/streamdown.tsx"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 6193, "scanner": "repobility-threat-engine", "fingerprint": "e4a03dd47f9736e8140e4cd75af7103ab26c628610781efdfd29b3c41049570a", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|23|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/components/docs/samples/mermaid.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 6192, "scanner": "repobility-threat-engine", "fingerprint": "3376bef2414f90c9f467cef39eb89be3620b1ed6ff432d235c8992bdd6d5254f", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|36|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/components/home/warp-background.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50139, "scanner": "repobility-supply-chain", "fingerprint": "307e6f7fa5076b0518a56be0e5783cf7c0913b9f081cd1658b0c4685c8b47b89", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|307e6f7fa5076b0518a56be0e5783cf7c0913b9f081cd1658b0c4685c8b47b89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yaml"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50138, "scanner": "repobility-supply-chain", "fingerprint": "088db63216945b557782181936f28de666346edb498a704a3049c405b308fae8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|088db63216945b557782181936f28de666346edb498a704a3049c405b308fae8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yaml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50137, "scanner": "repobility-supply-chain", "fingerprint": "133dc49555cd55df8ba9d0feb2cfa7dd43bd8194530ac3a0445f953122b8ff0a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|133dc49555cd55df8ba9d0feb2cfa7dd43bd8194530ac3a0445f953122b8ff0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yaml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50136, "scanner": "repobility-supply-chain", "fingerprint": "cd043ca7ae5a859f0bcb1c2f91c3ec62a2e4a8c1b2047f0aea09437df3bc9acf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd043ca7ae5a859f0bcb1c2f91c3ec62a2e4a8c1b2047f0aea09437df3bc9acf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yaml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50135, "scanner": "repobility-supply-chain", "fingerprint": "cc6dd68eca793865818b708e121d968e6ceaebd500c7c59ca4156241e29e58f3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc6dd68eca793865818b708e121d968e6ceaebd500c7c59ca4156241e29e58f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yaml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50134, "scanner": "repobility-supply-chain", "fingerprint": "9c52e38513bd4028d9e952e5b6f2ffb8f9abfdfd9baaff344273c11694d5e6f0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c52e38513bd4028d9e952e5b6f2ffb8f9abfdfd9baaff344273c11694d5e6f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yaml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50133, "scanner": "repobility-supply-chain", "fingerprint": "6ff08a7f2d1741b6e33858120154ba5cdd52cec532fd448637990e174165dffa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ff08a7f2d1741b6e33858120154ba5cdd52cec532fd448637990e174165dffa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yaml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50132, "scanner": "repobility-supply-chain", "fingerprint": "edb630b1f458f31b57350cc2bbe04548cc670d42328e5d58fb47d68360398135", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|edb630b1f458f31b57350cc2bbe04548cc670d42328e5d58fb47d68360398135"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yaml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `anthropics/claude-code-action` pinned to mutable ref `@v1`: `uses: anthropics/claude-code-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50131, "scanner": "repobility-supply-chain", "fingerprint": "332efb6b9673322715607a0afe934e14d3c0280e2a27d9b0d54a8cb28c6359e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|332efb6b9673322715607a0afe934e14d3c0280e2a27d9b0d54a8cb28c6359e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50130, "scanner": "repobility-supply-chain", "fingerprint": "5571daf975a5c32d6f0f3722081d40b026271e325f69c067df40103ed2e0d48e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5571daf975a5c32d6f0f3722081d40b026271e325f69c067df40103ed2e0d48e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50129, "scanner": "repobility-supply-chain", "fingerprint": "9db2bf19fe981f82809fcae8fac7233908ba6b7ef0bb12d15145c023fc67971b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9db2bf19fe981f82809fcae8fac7233908ba6b7ef0bb12d15145c023fc67971b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50128, "scanner": "repobility-supply-chain", "fingerprint": "47cf2a8a191dd47b9f2d7f866131a4ef88844d70f7669d16d327499a51b8444c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47cf2a8a191dd47b9f2d7f866131a4ef88844d70f7669d16d327499a51b8444c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/registry.yaml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50127, "scanner": "repobility-supply-chain", "fingerprint": "93cdf58dcdfc4be89b49b3d93717901d68b590c07e91cbf00cb457c6af020afc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93cdf58dcdfc4be89b49b3d93717901d68b590c07e91cbf00cb457c6af020afc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/registry.yaml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50126, "scanner": "repobility-supply-chain", "fingerprint": "4e32ab4424ed5dd3afaff904d9f94058d73c5f2fdfa908f9db580254a7eea60b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e32ab4424ed5dd3afaff904d9f94058d73c5f2fdfa908f9db580254a7eea60b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/registry.yaml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50125, "scanner": "repobility-supply-chain", "fingerprint": "98dd6e36d972beb431dd15b6eb93f0c2021c3c0b0d2b422f983e98583a8bfce2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98dd6e36d972beb431dd15b6eb93f0c2021c3c0b0d2b422f983e98583a8bfce2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/registry.yaml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50124, "scanner": "repobility-supply-chain", "fingerprint": "22718cca2b3a8fcc82bd5c7597b0f5c7010108e2258fe4d101d3c2d5f28b8145", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|22718cca2b3a8fcc82bd5c7597b0f5c7010108e2258fe4d101d3c2d5f28b8145"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools-frame.yaml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50123, "scanner": "repobility-supply-chain", "fingerprint": "398ceac6a1334735d3bb606493eb8817cc2524871cb5b17277d9e6b8ff4ef1bc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|398ceac6a1334735d3bb606493eb8817cc2524871cb5b17277d9e6b8ff4ef1bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools-frame.yaml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50122, "scanner": "repobility-supply-chain", "fingerprint": "8dc01a41ef8501784b4dc8d00e16ef2ff34ca4a6da43093cab838e47f1f52ba1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8dc01a41ef8501784b4dc8d00e16ef2ff34ca4a6da43093cab838e47f1f52ba1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools-frame.yaml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50121, "scanner": "repobility-supply-chain", "fingerprint": "dcd8540c92141ada8dd4206674f67d97179bf12556ef3f8f69a8ce72a55119b9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dcd8540c92141ada8dd4206674f67d97179bf12556ef3f8f69a8ce72a55119b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/devtools-frame.yaml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50120, "scanner": "repobility-supply-chain", "fingerprint": "a82de540b1ab3a2a5119fcaf687bcdca4d9e9e0f854c39349baee115efb33699", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a82de540b1ab3a2a5119fcaf687bcdca4d9e9e0f854c39349baee115efb33699"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/expo.yaml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50119, "scanner": "repobility-supply-chain", "fingerprint": "1939aad70b0bb2769955dbfea6234aa5635cf9a9ffbf092f19749b21b022c9ff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1939aad70b0bb2769955dbfea6234aa5635cf9a9ffbf092f19749b21b022c9ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/expo.yaml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50118, "scanner": "repobility-supply-chain", "fingerprint": "6469a87723455acb071e2c48c7ed30b0923dd2ccc3d7c80fd2542c305242fe85", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6469a87723455acb071e2c48c7ed30b0923dd2ccc3d7c80fd2542c305242fe85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/expo.yaml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50117, "scanner": "repobility-supply-chain", "fingerprint": "981c6e05d57170ee9633a10fd36128a40b71717664f138b8405e669b991b7716", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|981c6e05d57170ee9633a10fd36128a40b71717664f138b8405e669b991b7716"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/expo.yaml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `anthropics/claude-code-action` pinned to mutable ref `@v1`: `uses: anthropics/claude-code-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50115, "scanner": "repobility-supply-chain", "fingerprint": "0b91e1118e0602cd45517768be73f0a54c622ba0747730aad61c4323272e5177", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b91e1118e0602cd45517768be73f0a54c622ba0747730aad61c4323272e5177"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code-review.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50114, "scanner": "repobility-supply-chain", "fingerprint": "9c79ca67c2f588f826c112072feda3d6bf9a09726e0ac79d21517c9c29079e7c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c79ca67c2f588f826c112072feda3d6bf9a09726e0ac79d21517c9c29079e7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code-review.yml"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 50112, "scanner": "repobility-route-auth", "fingerprint": "076967508488de72103c80d584c30a854c05aff23fb80fe9ef3d949691bd9019", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|076967508488de72103c80d584c30a854c05aff23fb80fe9ef3d949691bd9019"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-mcp/server/server.ts"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/chat/completions has no auth: Handler `chat_completions` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 50111, "scanner": "repobility-route-auth", "fingerprint": "ad06deb8b043b890f224a59b6eb30da12ab3d1fa9ec6c4ccf2c3dd741d012ff7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|ad06deb8b043b890f224a59b6eb30da12ab3d1fa9ec6c4ccf2c3dd741d012ff7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream-hello-world/api/chat/completions/index.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /assistant has no auth: Handler `assistant_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 50110, "scanner": "repobility-route-auth", "fingerprint": "703948cab075ea476c241d36932c6673e5f4da9dceb1041487d9b6b38861f575", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|703948cab075ea476c241d36932c6673e5f4da9dceb1041487d9b6b38861f575"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend/main.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /dict-test has no auth: Handler `dict_test` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 50109, "scanner": "repobility-route-auth", "fingerprint": "cfabc7936801af883fb14aa29033bfdfc1a07503285a2a1c564cfb3b9d86e294", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|cfabc7936801af883fb14aa29033bfdfc1a07503285a2a1c564cfb3b9d86e294"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/state-test/server.py"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /list-test has no auth: Handler `list_test` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 50108, "scanner": "repobility-route-auth", "fingerprint": "40149b1403776876c6290ffd0d487c64c2ab4257a95af424fe3aa5eaf68e667f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|40149b1403776876c6290ffd0d487c64c2ab4257a95af424fe3aa5eaf68e667f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/state-test/server.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /string-test has no auth: Handler `string_test` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 50107, "scanner": "repobility-route-auth", "fingerprint": "b0beb1ad658594aed9223f2497a24c13035201e6a4ff3f043239b40aeac3aebd", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|b0beb1ad658594aed9223f2497a24c13035201e6a4ff3f043239b40aeac3aebd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/state-test/server.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /complex-test has no auth: Handler `complex_test` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 50106, "scanner": "repobility-route-auth", "fingerprint": "dbda86734bc7a83f730d8d0a3228f8540cbd55f5bcf09389cc91e49855a4a547", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|dbda86734bc7a83f730d8d0a3228f8540cbd55f5bcf09389cc91e49855a4a547"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/state-test/server.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /simple-test has no auth: Handler `simple_test` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 50105, "scanner": "repobility-route-auth", "fingerprint": "02991479202cafa46ecb7ca02517656ce32753a1155e76c6658cb264d9b9d00f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|02991479202cafa46ecb7ca02517656ce32753a1155e76c6658cb264d9b9d00f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/state-test/server.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /assistant has no auth: Handler `chat_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 50104, "scanner": "repobility-route-auth", "fingerprint": "a5a582e4ed12458e2db0d91a4e2bb3174733bb9039fd49cd7c2c218277eb52f3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|a5a582e4ed12458e2db0d91a4e2bb3174733bb9039fd49cd7c2c218277eb52f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend-langgraph/main.py"}, "region": {"startLine": 302}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /agent has no auth: Handler `agent_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 50103, "scanner": "repobility-route-auth", "fingerprint": "403e942654e266a759114b44023b9b8d94bb7e2e3d4419b6c72a5823d5c7b3b9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|403e942654e266a759114b44023b9b8d94bb7e2e3d4419b6c72a5823d5c7b3b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-ag-ui/server/agent.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_updates_event` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50100, "scanner": "repobility-ast-engine", "fingerprint": "cf9402a1bba5dddafa5a045c3b5a7cc139fb20f02b69d054f177ba70ccec5e71", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cf9402a1bba5dddafa5a045c3b5a7cc139fb20f02b69d054f177ba70ccec5e71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_updates_event` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50099, "scanner": "repobility-ast-engine", "fingerprint": "78fb0178032bf2db7e1387270e6329ad1a7cd5c3a05949d2f256ba9d747dfe41", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|78fb0178032bf2db7e1387270e6329ad1a7cd5c3a05949d2f256ba9d747dfe41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_updates_event` of class `TestLangGraphIntegration` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50098, "scanner": "repobility-ast-engine", "fingerprint": "b73af8699c9e829a93c4a7bc005f4d2dc948d5d849511b4b1a4da4934ef67ce1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b73af8699c9e829a93c4a7bc005f4d2dc948d5d849511b4b1a4da4934ef67ce1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_updates_event` of class `TestLangGraphIntegration` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50097, "scanner": "repobility-ast-engine", "fingerprint": "8a1566ceb70c35f160782a099603934c3a5d58699ec0eb175e819d6f7f71b1db", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8a1566ceb70c35f160782a099603934c3a5d58699ec0eb175e819d6f7f71b1db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_updates_event` of class `TestLangGraphIntegration` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50096, "scanner": "repobility-ast-engine", "fingerprint": "4e0c36a062c382e8d7d8ba170c7d85fad8b70a3c017ac9010a4b6e9e2d634777", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e0c36a062c382e8d7d8ba170c7d85fad8b70a3c017ac9010a4b6e9e2d634777"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_updates_event` of class `TestLangGraphIntegration` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50095, "scanner": "repobility-ast-engine", "fingerprint": "4154b5d7c62b6f8f7ff1c65de29bf65a3b2c2bc0c607433b2a3ebfc2e0dc925f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4154b5d7c62b6f8f7ff1c65de29bf65a3b2c2bc0c607433b2a3ebfc2e0dc925f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_replace_non_ai_message` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50094, "scanner": "repobility-ast-engine", "fingerprint": "46b0943e02f61ea70fc2119863db855a1e023853c861ab6b1baca0117f2adc68", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|46b0943e02f61ea70fc2119863db855a1e023853c861ab6b1baca0117f2adc68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_replace_non_ai_message` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50093, "scanner": "repobility-ast-engine", "fingerprint": "ff7a12b631024274b514e67c9faf4a8f07860f684a66b6f1fd6ee339ad837aaa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ff7a12b631024274b514e67c9faf4a8f07860f684a66b6f1fd6ee339ad837aaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_merge_ai_message_chunk` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50092, "scanner": "repobility-ast-engine", "fingerprint": "d76083b3a622ce86c82efafa4a4d2a543d0d803d4b867c4e698e4209996d1066", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d76083b3a622ce86c82efafa4a4d2a543d0d803d4b867c4e698e4209996d1066"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_merge_ai_message_chunk` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50091, "scanner": "repobility-ast-engine", "fingerprint": "b0d66291f2d5497bc1136ecaceaef278698082ce0e37c42209a21c940e3eb1f4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b0d66291f2d5497bc1136ecaceaef278698082ce0e37c42209a21c940e3eb1f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_merge_ai_message_chunk` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50090, "scanner": "repobility-ast-engine", "fingerprint": "c1dcbf79a218430b2ec80ad45a9da08e52ff0935d14e65d578cb5911d3b61b9b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c1dcbf79a218430b2ec80ad45a9da08e52ff0935d14e65d578cb5911d3b61b9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_append_message_list` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50089, "scanner": "repobility-ast-engine", "fingerprint": "6ba630f5736b41b99797bccf204484ae065989acbafe60c3a75d9d69de11728f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6ba630f5736b41b99797bccf204484ae065989acbafe60c3a75d9d69de11728f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_append_message_list` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50088, "scanner": "repobility-ast-engine", "fingerprint": "07e230defd83b300070756122a35cafea69ddcdf9e7c8e11517cab613dafa555", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|07e230defd83b300070756122a35cafea69ddcdf9e7c8e11517cab613dafa555"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_append_message_list` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50087, "scanner": "repobility-ast-engine", "fingerprint": "44b210b3418922b7507e3a30840a0e2e8e51292713215e92629825467009e626", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|44b210b3418922b7507e3a30840a0e2e8e51292713215e92629825467009e626"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_append_message_to_empty_state` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50086, "scanner": "repobility-ast-engine", "fingerprint": "198ee49bc0a0b074300328c09a131dca16897fd98aba536f887e465621301d90", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|198ee49bc0a0b074300328c09a131dca16897fd98aba536f887e465621301d90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_append_message_to_empty_state` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50085, "scanner": "repobility-ast-engine", "fingerprint": "17416cb8c592564d6e49cad15e926102c24c64ade53e0ca69af39b3e12b80358", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|17416cb8c592564d6e49cad15e926102c24c64ade53e0ca69af39b3e12b80358"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_append_message_to_empty_state` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50084, "scanner": "repobility-ast-engine", "fingerprint": "b0461b5a526c9491d2b156e091b2f04f0e8aba95b2d6957ea1dfa00a4a3ca364", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b0461b5a526c9491d2b156e091b2f04f0e8aba95b2d6957ea1dfa00a4a3ca364"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_append_message_to_empty_state` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50083, "scanner": "repobility-ast-engine", "fingerprint": "e76399678b4b0046b7fef6752c691a3133cbc20a30e9c67c437315990eb9880c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e76399678b4b0046b7fef6752c691a3133cbc20a30e9c67c437315990eb9880c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_append_message_to_empty_state` of class `TestLangGraphIntegration` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50082, "scanner": "repobility-ast-engine", "fingerprint": "cfe1305d7bdd87f3bfdb46963bef6e54e0cdfe1f05101373bf9b4135594c84e9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cfe1305d7bdd87f3bfdb46963bef6e54e0cdfe1f05101373bf9b4135594c84e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/tests/test_langgraph.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.close_sync` used but never assigned in __init__: Method `__exit__` of class `AssistantClient` reads `self.close_sync`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50081, "scanner": "repobility-ast-engine", "fingerprint": "3daa1f0deeed4ce87a3fc1a627986881fb6b3d6719cc23d476fac2696a4c1f1c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3daa1f0deeed4ce87a3fc1a627986881fb6b3d6719cc23d476fac2696a4c1f1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-ui-sync-server-api/src/assistant_ui/client.py"}, "region": {"startLine": 451}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.close` used but never assigned in __init__: Method `__aexit__` of class `AssistantClient` reads `self.close`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50080, "scanner": "repobility-ast-engine", "fingerprint": "ec02baf50128d478de9e364577ed35091ac9011c57c557090552350b401c8ff4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec02baf50128d478de9e364577ed35091ac9011c57c557090552350b401c8ff4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-ui-sync-server-api/src/assistant_ui/client.py"}, "region": {"startLine": 443}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_headers_sync` used but never assigned in __init__: Method `_make_request_sync` of class `AssistantClient` reads `self._get_headers_sync`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50079, "scanner": "repobility-ast-engine", "fingerprint": "ceb0988f37741b2d5399944cc04935a9a6d334749f6fb5c5e464cb588e67a832", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ceb0988f37741b2d5399944cc04935a9a6d334749f6fb5c5e464cb588e67a832"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-ui-sync-server-api/src/assistant_ui/client.py"}, "region": {"startLine": 411}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._ensure_sync_client` used but never assigned in __init__: Method `_make_request_sync` of class `AssistantClient` reads `self._ensure_sync_client`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50078, "scanner": "repobility-ast-engine", "fingerprint": "648299f07fb2e9125801c3c8d3a784269a92eb214e5f3a8df502e326b9d891ec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|648299f07fb2e9125801c3c8d3a784269a92eb214e5f3a8df502e326b9d891ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-ui-sync-server-api/src/assistant_ui/client.py"}, "region": {"startLine": 410}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._get_headers` used but never assigned in __init__: Method `_make_request` of class `AssistantClient` reads `self._get_headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50077, "scanner": "repobility-ast-engine", "fingerprint": "7a924a5fefbff739e3c4bda59ecbb37c759aa718db793d68d6ef2c2f0f52c6f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a924a5fefbff739e3c4bda59ecbb37c759aa718db793d68d6ef2c2f0f52c6f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-ui-sync-server-api/src/assistant_ui/client.py"}, "region": {"startLine": 389}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._ensure_async_client` used but never assigned in __init__: Method `_make_request` of class `AssistantClient` reads `self._ensure_async_client`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 50076, "scanner": "repobility-ast-engine", "fingerprint": "d03e2a18533aed4dd09034f1117000074c6d08745feae58e6e3d485cb43d8301", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d03e2a18533aed4dd09034f1117000074c6d08745feae58e6e3d485cb43d8301"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-ui-sync-server-api/src/assistant_ui/client.py"}, "region": {"startLine": 388}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_cancel: Test function `test_cancel` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 50075, "scanner": "repobility-ast-engine", "fingerprint": "6e68f0f84351d25cfa1cc7775e86c7e77ee37cb5558bb2c09248cafcee48885b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6e68f0f84351d25cfa1cc7775e86c7e77ee37cb5558bb2c09248cafcee48885b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-ui-sync-server-api/tests/test_client.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_direct_tool_result: Test function `test_direct_tool_result` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 50066, "scanner": "repobility-ast-engine", "fingerprint": "c301ab1b673591e5dd0daaa5e52baee940a95fa2ec22b68c8aed5a401c075b26", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c301ab1b673591e5dd0daaa5e52baee940a95fa2ec22b68c8aed5a401c075b26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend-langgraph/test_subgraph.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_subgraph_chat: Test function `test_subgraph_chat` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 50065, "scanner": "repobility-ast-engine", "fingerprint": "22e30c57a7d9767f807954fa8d786054b757d6ab585b51fd4e61b3aa1db57555", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|22e30c57a7d9767f807954fa8d786054b757d6ab585b51fd4e61b3aa1db57555"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend-langgraph/test_subgraph.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_health: Test function `test_health` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 50064, "scanner": "repobility-ast-engine", "fingerprint": "fa82bbe062c8f8c404a6e3edeabf1e531ab4851fa2a50097c14f67c9c7134d5f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fa82bbe062c8f8c404a6e3edeabf1e531ab4851fa2a50097c14f67c9c7134d5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend-langgraph/test_client.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_chat: Test function `test_chat` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 50063, "scanner": "repobility-ast-engine", "fingerprint": "fe0d43bfd278e555401ce12e8cc11ddfbf330e7b7af69c4952956615127df5df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fe0d43bfd278e555401ce12e8cc11ddfbf330e7b7af69c4952956615127df5df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend-langgraph/test_client.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 50050, "scanner": "repobility-threat-engine", "fingerprint": "650a4eee939efe1c5096b3a1342ddeb93c7857ded2e43d822b4ddee56531fc17", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|650a4eee939efe1c5096b3a1342ddeb93c7857ded2e43d822b4ddee56531fc17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend/setup.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 50036, "scanner": "repobility-threat-engine", "fingerprint": "92e30cd04888afdc9275df78d701a3f4978a4efbaae10920d6299bbb2541ba6e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92e30cd04888afdc9275df78d701a3f4978a4efbaae10920d6299bbb2541ba6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/assistant-stream/src/resumable/stores/InMemoryResumableStreamStore.ts"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 50031, "scanner": "repobility-threat-engine", "fingerprint": "7b3c280c3a656983e6fb03bebf903590a95eba453916cb354a22e83984895e10", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\": \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7b3c280c3a656983e6fb03bebf903590a95eba453916cb354a22e83984895e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/langgraph/app/api/[..._path]/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 50030, "scanner": "repobility-threat-engine", "fingerprint": "debb72955cee8a5f950bf2313bdef5bd857ba6e72bfdf4d249c37f02c51b032a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\": \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|debb72955cee8a5f950bf2313bdef5bd857ba6e72bfdf4d249c37f02c51b032a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-langgraph/app/api/[..._path]/route.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 50019, "scanner": "repobility-threat-engine", "fingerprint": "72b4cde6d7ec9d5ee26d0c2b58111abc01aa367eaa6764cccf62f3ce35f63225", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@app.post(\"/assistant\")\nasync def chat_endpoint(request: ChatRequest)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|72b4cde6d7ec9d5ee26d0c2b58111abc01aa367eaa6764cccf62f3ce35f63225"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-transport-backend-langgraph/main.py"}, "region": {"startLine": 301}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 50018, "scanner": "repobility-threat-engine", "fingerprint": "06165f6876eea03e1cc9cb698cfa7c35fa561ebe26680f7571932dd55518e77f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@app.post(\"/api/chat/completions\")\nasync def chat_completions()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|06165f6876eea03e1cc9cb698cfa7c35fa561ebe26680f7571932dd55518e77f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream-hello-world/api/chat/completions/index.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 50017, "scanner": "repobility-threat-engine", "fingerprint": "dd42797c224b0580f4449cc290afceb47b3aaec23b142b9182ea90b39360ffce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@app.post(\"/agent\")\nasync def agent_endpoint(request: Request)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dd42797c224b0580f4449cc290afceb47b3aaec23b142b9182ea90b39360ffce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-ag-ui/server/agent.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50002, "scanner": "repobility-threat-engine", "fingerprint": "3a36c85596d8b6d4ca8583b9a248814fafa71b05ec6d1839de8005350f5d52e4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3a36c85596d8b6d4ca8583b9a248814fafa71b05ec6d1839de8005350f5d52e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/doctor.ts"}, "region": {"startLine": 188}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50001, "scanner": "repobility-threat-engine", "fingerprint": "d132286511669d492a79f453569e5fe3ddd6062a69d8456d0531c8b0745ab835", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d132286511669d492a79f453569e5fe3ddd6062a69d8456d0531c8b0745ab835"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-ffmpeg/app/page.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50000, "scanner": "repobility-threat-engine", "fingerprint": "6caad08bda30768ffaad20095559cbc9224db47810542fdc59b84f86fddf89dd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(source", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6caad08bda30768ffaad20095559cbc9224db47810542fdc59b84f86fddf89dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/components/docs/preview-code.server.tsx"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 49994, "scanner": "repobility-threat-engine", "fingerprint": "e541ed6c2b25cf9e8c0127fd667ff7c859c4833e8b77b1ce18956334465a7c8b", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((c) => `https://r.assistant-ui.com/${c}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e541ed6c2b25cf9e8c0127fd667ff7c859c4833e8b77b1ce18956334465a7c8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/components/docs/fumadocs/install/install-command.tsx"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 49993, "scanner": "repobility-threat-engine", "fingerprint": "bbb0eb70749491fb5234e9bfbe359d63ab571529c4f4f3add946ced7100b20f7", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((line) => `- ${line}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bbb0eb70749491fb5234e9bfbe359d63ab571529c4f4f3add946ced7100b20f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/components/careers/apply-form.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 49992, "scanner": "repobility-threat-engine", "fingerprint": "2c858ad65d035dbac266cbfc3017ec3b0b92742928a262141b486e260fb3fa24", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((h) => `/${h}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2c858ad65d035dbac266cbfc3017ec3b0b92742928a262141b486e260fb3fa24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/tw-glass/(home)/doc-components.tsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49987, "scanner": "repobility-threat-engine", "fingerprint": "c15d0e101291f2b8835b91dff02744f032ef775949b299b0d119d31f6362174e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c15d0e101291f2b8835b91dff02744f032ef775949b299b0d119d31f6362174e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/tw-glass/(home)/pattern-picker.tsx"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49986, "scanner": "repobility-threat-engine", "fingerprint": "90cf0a44baa6fec9d396467efbc248cb83d8a030414471c680a6d7bfe77686a7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(w", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|90cf0a44baa6fec9d396467efbc248cb83d8a030414471c680a6d7bfe77686a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/not-found.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49985, "scanner": "repobility-threat-engine", "fingerprint": "aeabc28ec8d7362d9d81426ed36020e8fdb8d6550292a0a4948c757c9e96c145", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aeabc28ec8d7362d9d81426ed36020e8fdb8d6550292a0a4948c757c9e96c145"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/layout.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 49967, "scanner": "repobility-threat-engine", "fingerprint": "657a59f67c21aecfcffb9c6369e15b027c7ca65206129d461fe81e81c225e2ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url.searchParams.delete(URL_PARAM);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|657a59f67c21aecfcffb9c6369e15b027c7ca65206129d461fe81e81c225e2ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/components/docs/platform/context.tsx"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 49966, "scanner": "repobility-threat-engine", "fingerprint": "cd016d0ff862f207af87a38035df5ba10659cc305631e767c98c147c9ca33cde", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "modelStoreListeners.delete(listener);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cd016d0ff862f207af87a38035df5ba10659cc305631e767c98c147c9ca33cde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/components/docs/assistant/composer.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 49965, "scanner": "repobility-threat-engine", "fingerprint": "8862588815c86bcd7f83b6ac0bff4accde906aab1d55a6c3b600b6aadd5fb329", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "devtoolsConnections.delete(tabId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8862588815c86bcd7f83b6ac0bff4accde906aab1d55a6c3b600b6aadd5fb329"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/devtools-extension/background.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /(home)/blog/llms.md/:slug."}, "properties": {"repobilityId": 6200, "scanner": "repobility-access-control", "fingerprint": "44e733cfb59a836f35dcc276d40b9e377d0eda351133c3e00a5de63b3ea7a105", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/(home)/blog/llms.md/:slug", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|apps/docs/app/ home /blog/llms.md/ slug /route.ts|13|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/app/(home)/blog/llms.md/[slug]/route.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VERCEL_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VERCEL_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50141, "scanner": "repobility-supply-chain", "fingerprint": "6fa10d4fdd2f60deebed3b1a2a93706f4953389f78188b487519f3b9de49ec79", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6fa10d4fdd2f60deebed3b1a2a93706f4953389f78188b487519f3b9de49ec79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yaml"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VERCEL_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VERCEL_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50140, "scanner": "repobility-supply-chain", "fingerprint": "0635c139adb2098ca20f3a6aaae3ed3a072f681a623f37efcbc9e86c00794f76", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0635c139adb2098ca20f3a6aaae3ed3a072f681a623f37efcbc9e86c00794f76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yaml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLAUDE_CODE_OAUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLAUDE_CODE_OAUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50116, "scanner": "repobility-supply-chain", "fingerprint": "ecaddcd32747066f6d61ac1741791cd3ce4359460e34faabb4cc3301122e5e65", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ecaddcd32747066f6d61ac1741791cd3ce4359460e34faabb4cc3301122e5e65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code-review.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 50101, "scanner": "repobility-ast-engine", "fingerprint": "67a869ffb30a6986d71beef87a0c67c7ae98975f1a388ce33e58da2afb08f41d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|67a869ffb30a6986d71beef87a0c67c7ae98975f1a388ce33e58da2afb08f41d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/assistant-stream/src/assistant_stream/create_run.py"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 50029, "scanner": "repobility-threat-engine", "fingerprint": "21d2d7f420768d148830c6f358c077def34e85ea2be39594eb12489902251076", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21d2d7f420768d148830c6f358c077def34e85ea2be39594eb12489902251076"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/with-chain-of-thought/app/page.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15877, "scanner": "repobility", "fingerprint": "2fdc93563f6f3e132cc6c1dc6161e5e3", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template(targetDir, request", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-app-studio/src/cli/index.ts"}, "region": {"startLine": 861}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15876, "scanner": "repobility", "fingerprint": "a51e5f1f054ec3468b3610facf879291", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template(request", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-app-studio/src/cli/index.ts"}, "region": {"startLine": 855}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15875, "scanner": "repobility", "fingerprint": "760ff70db1db627d8145bbb285715335", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template(targetDir, request", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-app-studio/src/cli/index.ts"}, "region": {"startLine": 847}}}]}]}]}