{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /au"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /audits/route."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-92pp-h63x-v22m", "name": "@hono/node-server: GHSA-92pp-h63x-v22m", "shortDescription": {"text": "@hono/node-server: GHSA-92pp-h63x-v22m"}, "fullDescription": {"text": "@hono/node-server: Middleware bypass via repeated slashes in serveStatic"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `fuse.js` is minor version(s) behind (^7.3.0 -> 7.4.1)", "shortDescription": {"text": "npm package `fuse.js` is minor version(s) behind (^7.3.0 -> 7.4.1)"}, "fullDescription": {"text": "`fuse.js` is pinned/resolved at ^7.3.0 but the latest stable release on the npm registry is 7.4.1 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "low", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 29 more): Same pattern found in 29 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 19 more): Same pattern found in 19 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /checklists/:id/route."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /checklists/:id/route."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "MINED028", "name": "[MINED028] Ts Ignore Comment: // @ts-ignore silences all type errors on the next line.", "shortDescription": {"text": "[MINED028] Ts Ignore Comment: // @ts-ignore silences all type errors on the next line."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/upload-artifact` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/826"}, "properties": {"repository": "thedaviddias/Front-End-Checklist", "repoUrl": "https://github.com/thedaviddias/Front-End-Checklist", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 72895, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72893, "scanner": "repobility-journey-contract", "fingerprint": "9794a09e92b63099f465fb42f050ba101a884c2d864d956b1a7701aa97c2cd0c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/profile/github-sync", "correlation_key": "fp|9794a09e92b63099f465fb42f050ba101a884c2d864d956b1a7701aa97c2cd0c", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/profile/github-sync/route.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72892, "scanner": "repobility-journey-contract", "fingerprint": "b51b3ac87b22f6bcdc380f9a8ed971691b4f80b40cbddc315b06d7cd537037f7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp", "correlation_key": "fp|b51b3ac87b22f6bcdc380f9a8ed971691b4f80b40cbddc315b06d7cd537037f7", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/mcp/route.ts"}, "region": {"startLine": 364}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72891, "scanner": "repobility-journey-contract", "fingerprint": "8c4fc4d5bd524386355faa2bb1bba7c21188e3a4bf5a54a474c6dc2535adeac3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp", "correlation_key": "fp|8c4fc4d5bd524386355faa2bb1bba7c21188e3a4bf5a54a474c6dc2535adeac3", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/mcp/route.ts"}, "region": {"startLine": 299}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72890, "scanner": "repobility-journey-contract", "fingerprint": "8c8a7c28a5d92117df37c8077f5c176b14072b0d872e81b7c6ee8eea51474e5e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cron/supabase-keepalive", "correlation_key": "fp|8c8a7c28a5d92117df37c8077f5c176b14072b0d872e81b7c6ee8eea51474e5e", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/cron/supabase-keepalive/route.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72889, "scanner": "repobility-journey-contract", "fingerprint": "1086b74d9834182a645fdc6934078627f5a07137e5cadd18b76fd9548a0391aa", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/checklists", "correlation_key": "fp|1086b74d9834182a645fdc6934078627f5a07137e5cadd18b76fd9548a0391aa", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/checklists/route.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72888, "scanner": "repobility-journey-contract", "fingerprint": "9a7524572698af7087073f8ae9e9ec75b0db66c8a240b1ec39709927522ba348", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/checklists/{param}/share", "correlation_key": "fp|9a7524572698af7087073f8ae9e9ec75b0db66c8a240b1ec39709927522ba348", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/checklists/[id]/share/route.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72887, "scanner": "repobility-journey-contract", "fingerprint": "86b5560058f270af0601c0ca15b3a8625f2b2fc217493908841d29e8f69c6701", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/checklists/{param}/share", "correlation_key": "fp|86b5560058f270af0601c0ca15b3a8625f2b2fc217493908841d29e8f69c6701", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/checklists/[id]/share/route.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72886, "scanner": "repobility-journey-contract", "fingerprint": "93807aa0ef92b412cee91dfaa34ad8879156592a6c597fe2c682cd2f9a6d3659", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/checklists/{param}", "correlation_key": "fp|93807aa0ef92b412cee91dfaa34ad8879156592a6c597fe2c682cd2f9a6d3659", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/checklists/[id]/route.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72885, "scanner": "repobility-journey-contract", "fingerprint": "47149f25d4fa829db7254b0dacb84c278c8f02cdad6d80371729970eecfd82d3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/checklists/{param}", "correlation_key": "fp|47149f25d4fa829db7254b0dacb84c278c8f02cdad6d80371729970eecfd82d3", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/checklists/[id]/route.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72884, "scanner": "repobility-journey-contract", "fingerprint": "ee6ab61d05cd521b1799559f0b49fbcc99991492bf73068cfd8180051c3338a7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/audits", "correlation_key": "fp|ee6ab61d05cd521b1799559f0b49fbcc99991492bf73068cfd8180051c3338a7", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/audits/route.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72883, "scanner": "repobility-journey-contract", "fingerprint": "de402a5d7fbc4bcc4b00b9b74d376aba68e66dcd8f8b2fded6e8f6dde4c65583", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/audits", "correlation_key": "fp|de402a5d7fbc4bcc4b00b9b74d376aba68e66dcd8f8b2fded6e8f6dde4c65583", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/audits/audits-page-client.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72882, "scanner": "repobility-journey-contract", "fingerprint": "540bf2be184c8fe5d06812c11bdbf0ca717069f38c85c85d97872753688874bf", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/account", "correlation_key": "fp|540bf2be184c8fe5d06812c11bdbf0ca717069f38c85c85d97872753688874bf", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/(account)/settings/settings-page-client.tsx"}, "region": {"startLine": 51}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72881, "scanner": "repobility-journey-contract", "fingerprint": "f2af064f6e8ea4a5b1cb697d6e7adc3696033932a84830ae894f5e8f48f3801b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/account/export", "correlation_key": "fp|f2af064f6e8ea4a5b1cb697d6e7adc3696033932a84830ae894f5e8f48f3801b", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/(account)/settings/settings-page-client.tsx"}, "region": {"startLine": 29}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72880, "scanner": "repobility-journey-contract", "fingerprint": "caae4d74cf2895d4e5f6fd0c1ccfe8f3558a1e40ef3662a2c5c2dcecc4d0ae11", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/profile", "correlation_key": "fp|caae4d74cf2895d4e5f6fd0c1ccfe8f3558a1e40ef3662a2c5c2dcecc4d0ae11", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/(account)/profile/profile-page-client.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 72879, "scanner": "repobility-journey-contract", "fingerprint": "32f4a919ae49065d3307fe9e9b1b5fbfb9cc01fa1b780520934d604ae364609b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/profile/github-sync", "correlation_key": "fp|32f4a919ae49065d3307fe9e9b1b5fbfb9cc01fa1b780520934d604ae364609b", "backend_endpoint_count": 28}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/(account)/profile/profile-form.tsx"}, "region": {"startLine": 147}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /audits/route."}, "properties": {"repobilityId": 72878, "scanner": "repobility-access-control", "fingerprint": "918a39a7df666fea167e3a3c7a9e0346b695dbab521f4aa2bd7e69aba2ce50ed", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/audits/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|77|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/audits/route.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /audits/route."}, "properties": {"repobilityId": 72877, "scanner": "repobility-access-control", "fingerprint": "493b9ca64b3afdae9fabc0dd59338ceffbcdd43aaf7adb5a59ba580f8c5ed6ec", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/audits/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|28|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/audits/route.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /progress/route."}, "properties": {"repobilityId": 72876, "scanner": "repobility-access-control", "fingerprint": "52fb7598134356ca86d49765fa650b353929803b9441ef1db61d8a01047c42ea", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/progress/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|110|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/progress/route.ts"}, "region": {"startLine": 110}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /progress/route."}, "properties": {"repobilityId": 72875, "scanner": "repobility-access-control", "fingerprint": "a8f1892089d1a616dfb31ccd78194140945b4d3d384842d1f53c0c4e65f5be75", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/progress/route", "method": "PUT", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|35|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/progress/route.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /progress/route."}, "properties": {"repobilityId": 72874, "scanner": "repobility-access-control", "fingerprint": "d0605bedc8b82b1e86ca6adee34f396270152f3ad5a0d0a951947965c3d936a8", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/progress/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|11|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/progress/route.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /account/route."}, "properties": {"repobilityId": 72873, "scanner": "repobility-access-control", "fingerprint": "8fa29002d740ea89854f123e35e953d626fd8a4167e0aed71b5d69b82ec0d936", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/account/route", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|12|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/account/route.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /profile/route."}, "properties": {"repobilityId": 72872, "scanner": "repobility-access-control", "fingerprint": "0c8ebde7a112756fd245ae34a90a3853bbb91acb78b62d2cb798face6e938538", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/profile/route", "method": "PATCH", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|31|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/profile/route.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /profile/route."}, "properties": {"repobilityId": 72871, "scanner": "repobility-access-control", "fingerprint": "7741194e0564141021983ad854e161ff743f518c8c66605b3fa024b5b437dc52", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/profile/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|13|cwe-285", "duplicate_count": 1, "identity_targets": ["authenticated"], "duplicate_rule_ids": ["AUC009"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["7741194e0564141021983ad854e161ff743f518c8c66605b3fa024b5b437dc52", "9cd602a93c66c324c631f8441b73936d5c154325be54683f6e2a491de3274ff5"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/profile/route.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /fix-suggestion/route."}, "properties": {"repobilityId": 72870, "scanner": "repobility-access-control", "fingerprint": "3f86287183d6e318c111818ed9e3e77299f75be6386bb80ac87468e91a67bb5b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/fix-suggestion/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|8|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/fix-suggestion/route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 72867, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 72866, "scanner": "osv-scanner", "fingerprint": "fdef028f4a816ff49a3feddc8fea57767b8bd7a5285d824fe826196183701971", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 72865, "scanner": "osv-scanner", "fingerprint": "0b1dff5c952a767b7990e67b0d60cc580116a9b63b14cf0d44b920a59028efbf", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-92pp-h63x-v22m", "level": "warning", "message": {"text": "@hono/node-server: GHSA-92pp-h63x-v22m"}, "properties": {"repobilityId": 72864, "scanner": "osv-scanner", "fingerprint": "9dc4af0ce4e69cd302c18a60fee266d778f63bfd65f3810d1ed3661496fd5f32", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39406"], "package": "@hono/node-server", "rule_id": "GHSA-92pp-h63x-v22m", "scanner": "osv-scanner", "correlation_key": "vuln|hono/node-server|CVE-2026-39406|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 72858, "scanner": "repobility-threat-engine", "fingerprint": "ffb84f23c6ff128142405da04015ee28484dcafdc4c058d76e3e6488ec85d34d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (_error) {\n    return []\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ffb84f23c6ff128142405da04015ee28484dcafdc4c058d76e3e6488ec85d34d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/validation/check-as-casts.js"}, "region": {"startLine": 200}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 72857, "scanner": "repobility-threat-engine", "fingerprint": "332a09123d7467656b38db893c6250da724e762321942f9767660e515b0c158f", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://example.com/docs\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|99|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/audit/mcp-impact-benchmark.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 72842, "scanner": "repobility-threat-engine", "fingerprint": "c86cf1012186f380c7d6eaf8468e757fb698548bd11ccf406c24c12cffd6fc9c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c86cf1012186f380c7d6eaf8468e757fb698548bd11ccf406c24c12cffd6fc9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/hooks/use-user-checklists.ts"}, "region": {"startLine": 173}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 72824, "scanner": "repobility-threat-engine", "fingerprint": "2b911b441de9254a4d785f39c7933d6cf1e96bd51bc67b698a1c3ec1e0c7803c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|176|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/test-utils/accessibility.tsx"}, "region": {"startLine": 176}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 72823, "scanner": "repobility-threat-engine", "fingerprint": "46ba79a462f5a3e210d11e1bcff0f1aec2a0d8aa7c1a4ef91a4710e4409d5548", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|50|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/scripts/x-metadata.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 72822, "scanner": "repobility-threat-engine", "fingerprint": "e796966bae238bd6c0877a6e73aed34974f8ae540b9f8244c09c9729781448c2", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|35|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/components/mentions/embeds/x-mention-card.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 72804, "scanner": "repobility-agent-runtime", "fingerprint": "a3156eb18e901ff5fe17afa9c98b3f525b1e43a790614732d15101633a0f5b70", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a3156eb18e901ff5fe17afa9c98b3f525b1e43a790614732d15101633a0f5b70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/audit-comparison/README.md"}, "region": {"startLine": 42}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 72894, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `fuse.js` is minor version(s) behind (^7.3.0 -> 7.4.1)"}, "properties": {"repobilityId": 72803, "scanner": "repobility-dependency-currency", "fingerprint": "107efab9f36c3f0de37bce9d12fa70c18ca55f268058acfd8255e983aeb99876", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "fuse.js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.4.1", "correlation_key": "fp|107efab9f36c3f0de37bce9d12fa70c18ca55f268058acfd8255e983aeb99876", "current_version": "^7.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/search/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tanstack/react-query-persist-client` is minor version(s) behind (^5.100.14 -> 5.101.0)"}, "properties": {"repobilityId": 72802, "scanner": "repobility-dependency-currency", "fingerprint": "2911b8a236ec8311012ae8519fe0a2353120c889ddd87f210eb143dd29faa936", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tanstack/react-query-persist-client", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.101.0", "correlation_key": "fp|2911b8a236ec8311012ae8519fe0a2353120c889ddd87f210eb143dd29faa936", "current_version": "^5.100.14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/data-layer/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tanstack/react-virtual` is minor version(s) behind (^3.13.26 -> 3.14.2)"}, "properties": {"repobilityId": 72801, "scanner": "repobility-dependency-currency", "fingerprint": "45ac9052f80a3508344395fb9a377d194a3eee39bbbe26edb636ae3a1e352a1e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tanstack/react-virtual", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.14.2", "correlation_key": "fp|45ac9052f80a3508344395fb9a377d194a3eee39bbbe26edb636ae3a1e352a1e", "current_version": "^3.13.26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/virtualization/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `shiki` is minor version(s) behind (^4.1.0 -> 4.2.0)"}, "properties": {"repobilityId": 72799, "scanner": "repobility-dependency-currency", "fingerprint": "3d6fa0c195a21373e49189eceb0988e092b1d8c98b601ed3723db3d97ab42002", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "shiki", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.2.0", "correlation_key": "fp|3d6fa0c195a21373e49189eceb0988e092b1d8c98b601ed3723db3d97ab42002", "current_version": "^4.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `fuse.js` is minor version(s) behind (^7.3.0 -> 7.4.1)"}, "properties": {"repobilityId": 72798, "scanner": "repobility-dependency-currency", "fingerprint": "1fba40e8cfc5c98d4f819e3bff2585cd045ee03662e775ab8f7247b6e204c87c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "fuse.js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.4.1", "correlation_key": "fp|1fba40e8cfc5c98d4f819e3bff2585cd045ee03662e775ab8f7247b6e204c87c", "current_version": "^7.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tanstack/react-query-devtools` is minor version(s) behind (^5.100.14 -> 5.101.0)"}, "properties": {"repobilityId": 72797, "scanner": "repobility-dependency-currency", "fingerprint": "97e05aa28d7bc222862324b0c53e6669fafc8c1ce3b42b8d1f6626038cff8daa", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tanstack/react-query-devtools", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.101.0", "correlation_key": "fp|97e05aa28d7bc222862324b0c53e6669fafc8c1ce3b42b8d1f6626038cff8daa", "current_version": "^5.100.14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72769, "scanner": "repobility-ai-code-hygiene", "fingerprint": "93d162b38e6deb9f56a08e66256616f90835df6d718ad87e24cdfb0bfc65ecd7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/validators/src/validate-imports.ts", "duplicate_line": 127, "correlation_key": "fp|93d162b38e6deb9f56a08e66256616f90835df6d718ad87e24cdfb0bfc65ecd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/validators/src/validate-types.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72768, "scanner": "repobility-ai-code-hygiene", "fingerprint": "880a04d52def504221e7036479e2fcad762b928178bff5d8c2254eabd0730288", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/rules/src/types.ts", "duplicate_line": 3, "correlation_key": "fp|880a04d52def504221e7036479e2fcad762b928178bff5d8c2254eabd0730288"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/types/src/index.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72767, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7773160f926e13fe19deffde99bfb4873de6586a7e67f09ff8635669090d73f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/config/src/categories.ts", "duplicate_line": 3, "correlation_key": "fp|f7773160f926e13fe19deffde99bfb4873de6586a7e67f09ff8635669090d73f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/types/src/index.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72766, "scanner": "repobility-ai-code-hygiene", "fingerprint": "24d61327e4aac72c6e20b0130180f1bbec45162c472abb37f790b6c8b1eaa75a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/config/src/categories.ts", "duplicate_line": 3, "correlation_key": "fp|24d61327e4aac72c6e20b0130180f1bbec45162c472abb37f790b6c8b1eaa75a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/schemas/src/index.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72765, "scanner": "repobility-ai-code-hygiene", "fingerprint": "176c3401624e78d82f41b1e2e817940713530036d0051f4fdc35971d01a7ebda", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/config/src/categories.ts", "duplicate_line": 3, "correlation_key": "fp|176c3401624e78d82f41b1e2e817940713530036d0051f4fdc35971d01a7ebda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rules/src/types.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72764, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a66e8d1d72db4301385cc5a14a9b398c90746f4c1cbf56777d1266f2ad572df4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mcp/src/cli.ts", "duplicate_line": 71, "correlation_key": "fp|a66e8d1d72db4301385cc5a14a9b398c90746f4c1cbf56777d1266f2ad572df4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rules/src/load-rules.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72763, "scanner": "repobility-ai-code-hygiene", "fingerprint": "94ef7479309f6cbc8926c494ba3a172426bdf2688d3b034358d9350d9da32375", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/config/src/categories.ts", "duplicate_line": 3, "correlation_key": "fp|94ef7479309f6cbc8926c494ba3a172426bdf2688d3b034358d9350d9da32375"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/tools/search-rules.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72762, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2999e00cf82088ee6db8b729871cbcae367a488cab780c10320da01c5ed3ad68", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mcp/src/tools/metadata.ts", "duplicate_line": 15, "correlation_key": "fp|2999e00cf82088ee6db8b729871cbcae367a488cab780c10320da01c5ed3ad68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/tools/search-rules.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72761, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fdf7d96ec1a877f081614d3463955872bfcc68ffe31e7f591cab1f6e2dac57ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/config/src/categories.ts", "duplicate_line": 3, "correlation_key": "fp|fdf7d96ec1a877f081614d3463955872bfcc68ffe31e7f591cab1f6e2dac57ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/tools/metadata.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72760, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b343812b7f82a91d7779c5c10c39098ca63af48011627fac66ea78a17142e58", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mcp/src/tools/check-rule.ts", "duplicate_line": 136, "correlation_key": "fp|9b343812b7f82a91d7779c5c10c39098ca63af48011627fac66ea78a17142e58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/tools/get-rule.ts"}, "region": {"startLine": 290}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72759, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cd3a1406f5cf7b869fa308874f528db1eda7d889cea75d49585deb1f5adfcb6c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mcp/src/tools/check-rule.ts", "duplicate_line": 136, "correlation_key": "fp|cd3a1406f5cf7b869fa308874f528db1eda7d889cea75d49585deb1f5adfcb6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/tools/fix-rule.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72758, "scanner": "repobility-ai-code-hygiene", "fingerprint": "46ea3afaab38cb165bb855ee5d2e7d2036e755a653af6cb36bf4e578e9caa191", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mcp/src/tools/check-rule.ts", "duplicate_line": 136, "correlation_key": "fp|46ea3afaab38cb165bb855ee5d2e7d2036e755a653af6cb36bf4e578e9caa191"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/tools/explain-rule.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72757, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a122f5c0dfbae5fe80cf1db4a630f272e10f3a45e35bdf5579a0f92a8915be2b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/data-layer/src/export-mutations.ts", "duplicate_line": 38, "correlation_key": "fp|a122f5c0dfbae5fe80cf1db4a630f272e10f3a45e35bdf5579a0f92a8915be2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/export/src/index.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72756, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c2a77f0ddadf3aa2987c4e79c54a4aaae70b643dbf61ea30e60c4e299234a64", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/components/rules/detail/mdx-components.tsx", "duplicate_line": 15, "correlation_key": "fp|6c2a77f0ddadf3aa2987c4e79c54a4aaae70b643dbf61ea30e60c4e299234a64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/design-system/src/custom/content/code-surface.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72755, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7278242f351892f2f4d7429d27bcf34c63410110611c67d9c9f07f421a8df049", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/data-layer/src/index.ts", "duplicate_line": 23, "correlation_key": "fp|7278242f351892f2f4d7429d27bcf34c63410110611c67d9c9f07f421a8df049"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/data-layer/src/queries.ts"}, "region": {"startLine": 153}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72754, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2fd2e8d1065476fadc4471c771adfab94478bf01c6a77d15b8273254faa60a94", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/e2e/playwright.config.ts", "duplicate_line": 16, "correlation_key": "fp|2fd2e8d1065476fadc4471c771adfab94478bf01c6a77d15b8273254faa60a94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/playwright.config.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72753, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8c62f14c30f7430426d1152244eda73ae341fff1d3bf464da659761923280c72", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/app/(site)/(account)/profile/profile-types.ts", "duplicate_line": 2, "correlation_key": "fp|8c62f14c30f7430426d1152244eda73ae341fff1d3bf464da659761923280c72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/lib/server/profile-service.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72752, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84ddca4cd99f3618b170ec7f74db362c5353db8b12b99547d79d1d71a52a8872", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/lib/cache.ts", "duplicate_line": 47, "correlation_key": "fp|84ddca4cd99f3618b170ec7f74db362c5353db8b12b99547d79d1d71a52a8872"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/lib/github.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72751, "scanner": "repobility-ai-code-hygiene", "fingerprint": "26a9ed28ada85c62c6cb13a0eda1dca4ff09707aeb7974d5e83613d1041a89c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/components/rules/browser/rules-browser-filters.tsx", "duplicate_line": 6, "correlation_key": "fp|26a9ed28ada85c62c6cb13a0eda1dca4ff09707aeb7974d5e83613d1041a89c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/components/rules/browser/rules-browser-toolbar.tsx"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72750, "scanner": "repobility-ai-code-hygiene", "fingerprint": "59ef92d15a9eb63b641f8e1f642747a214397d024a341ba314d6d571e8ecaaf9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/components/navigation/command-palette-provider.tsx", "duplicate_line": 137, "correlation_key": "fp|59ef92d15a9eb63b641f8e1f642747a214397d024a341ba314d6d571e8ecaaf9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/components/navigation/command-palette.tsx"}, "region": {"startLine": 124}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72749, "scanner": "repobility-ai-code-hygiene", "fingerprint": "85038550c56cfda0db68734990c6126208a5bb13c7d5651515290323b12bf79b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/components/mentions/embeds/mention-embeds-compact.tsx", "duplicate_line": 7, "correlation_key": "fp|85038550c56cfda0db68734990c6126208a5bb13c7d5651515290323b12bf79b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/components/mentions/embeds/x-mention-card.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72748, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e462d9009be98104ade7a2135e33e62dd0af6a59e8c323721866dc2bc7832db7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/components/mentions/embeds/mention-embeds-compact.tsx", "duplicate_line": 124, "correlation_key": "fp|e462d9009be98104ade7a2135e33e62dd0af6a59e8c323721866dc2bc7832db7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/components/mentions/embeds/mention-embeds.tsx"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72747, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1a6cfbbdc30f82454303a8ce02c9281e3abccbcc8d8b98fe63cb89013ce467e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/components/checklists/browser/checklist-card.tsx", "duplicate_line": 91, "correlation_key": "fp|a1a6cfbbdc30f82454303a8ce02c9281e3abccbcc8d8b98fe63cb89013ce467e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/components/homepage/checklists-preview.tsx"}, "region": {"startLine": 95}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72746, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8b931dcd4e3e4b265707402f4d0eb6ce19316f27144a0f125a23644d188ec9d8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/components/checklists/browser/checklist-card.tsx", "duplicate_line": 175, "correlation_key": "fp|8b931dcd4e3e4b265707402f4d0eb6ce19316f27144a0f125a23644d188ec9d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/components/homepage/category-card.tsx"}, "region": {"startLine": 131}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72745, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9a6b5d3dd1c6ad531ce5c7d81af96f5dd6c5ae118c7d85a9311b8dd5ee6bbfa8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/app/(site)/lists/user-checklist-card.tsx", "duplicate_line": 143, "correlation_key": "fp|9a6b5d3dd1c6ad531ce5c7d81af96f5dd6c5ae118c7d85a9311b8dd5ee6bbfa8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/components/homepage/category-card.tsx"}, "region": {"startLine": 129}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72744, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a9c2072f7cb2f65606f764c376d89a28bcbb3c05d177557bb3d9a2a4fb5d85f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/app/(site)/lists/user-checklist-card.tsx", "duplicate_line": 142, "correlation_key": "fp|2a9c2072f7cb2f65606f764c376d89a28bcbb3c05d177557bb3d9a2a4fb5d85f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/components/checklists/browser/checklist-card.tsx"}, "region": {"startLine": 172}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72743, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a8ec64ebe3986a1152cb80b760d69fd627f06ac127af5e9a058ce23ddd18252e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/app/(site)/lists/lists-page-client.tsx", "duplicate_line": 83, "correlation_key": "fp|a8ec64ebe3986a1152cb80b760d69fd627f06ac127af5e9a058ce23ddd18252e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/components/checklists/actions/add-to-checklist-dropdown.tsx"}, "region": {"startLine": 124}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72742, "scanner": "repobility-ai-code-hygiene", "fingerprint": "05c4ab510de87f115d3d652b3a4e355b08e4d60ba7e702ea77141717e33b3be6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/app/(site)/(account)/profile/profile-github-metadata-section.tsx", "duplicate_line": 38, "correlation_key": "fp|05c4ab510de87f115d3d652b3a4e355b08e4d60ba7e702ea77141717e33b3be6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/u/[username]/public-profile-client.tsx"}, "region": {"startLine": 215}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72741, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3d26b23e0477ddc3ba07e8c2f3e509c3f123370635fac05331913e8099cb5970", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/app/(site)/guide/guide-components.tsx", "duplicate_line": 10, "correlation_key": "fp|3d26b23e0477ddc3ba07e8c2f3e509c3f123370635fac05331913e8099cb5970"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/rules/[category]/[slug]/rule-page-support.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 72740, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7d7e30ecccac3ed94c6a124efe1d85d7f27765ed393fd862ca280139ebb3cd52", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/app/(site)/(account)/profile/profile-page-shell.tsx", "duplicate_line": 6, "correlation_key": "fp|7d7e30ecccac3ed94c6a124efe1d85d7f27765ed393fd862ca280139ebb3cd52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/(account)/settings/settings-page-shell.tsx"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 72739, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b09dc1be0288714e2c696bf468fac456a6971314c2419b75c8efcf405cfc892", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|6b09dc1be0288714e2c696bf468fac456a6971314c2419b75c8efcf405cfc892"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/lib/server/github-import-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 72738, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 72859, "scanner": "repobility-threat-engine", "fingerprint": "c0f2bd67336b285653288fbac54c9fa0631275d9740596bc6542f61c9594a5e1", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log('\\x1b[36m\ud83d\udca1 Consider enabling console removal in next.config.js:\\x1b[0m')", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|9|console.log x1b 36m consider enabling console removal in next.config.js: x1b 0m"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/validation/check-console-logs.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 72848, "scanner": "repobility-threat-engine", "fingerprint": "75baf4e2a3cbbe01271b2d1386f542d0c8f2f501e43aea772dda631d27dee0f8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|75baf4e2a3cbbe01271b2d1386f542d0c8f2f501e43aea772dda631d27dee0f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/auth/src/auth.ts"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 72846, "scanner": "repobility-threat-engine", "fingerprint": "1a95a5d1d682a12bb642e28c36c0e874bff6cdc26089c46ae8ef263ee1155792", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1a95a5d1d682a12bb642e28c36c0e874bff6cdc26089c46ae8ef263ee1155792", "aggregated_count": 1}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 72845, "scanner": "repobility-threat-engine", "fingerprint": "2c89b9e4e4d600dc1e65cc7d5e97ae284491116371155c83b89e846a3bb8385b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c89b9e4e4d600dc1e65cc7d5e97ae284491116371155c83b89e846a3bb8385b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/seo/src/structured-data.ts"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 72844, "scanner": "repobility-threat-engine", "fingerprint": "176af1be693555320f7c6543ccb6555ba90c8f1b82f48fd57ffc855adb2836c5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|176af1be693555320f7c6543ccb6555ba90c8f1b82f48fd57ffc855adb2836c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/design-system/src/custom/navigation/breadcrumb.tsx"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 72843, "scanner": "repobility-threat-engine", "fingerprint": "c54053ca0b4dddf2cf7acdc6d3699bf073d50ac39801dcb13de5d083afee6b3b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c54053ca0b4dddf2cf7acdc6d3699bf073d50ac39801dcb13de5d083afee6b3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/analytics/providers/openpanel.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 72841, "scanner": "repobility-threat-engine", "fingerprint": "729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "aggregated_count": 1}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 72840, "scanner": "repobility-threat-engine", "fingerprint": "b57f01af258fa25daa1d231981115feb3c1ea0569f397a5934f35a6300fbb50c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b57f01af258fa25daa1d231981115feb3c1ea0569f397a5934f35a6300fbb50c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/i18n/src/index.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 72839, "scanner": "repobility-threat-engine", "fingerprint": "a5704b960ab107404bb2f46bf1fd4b21f670bed92f3b42ff01ff2ea307c4fdff", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a5704b960ab107404bb2f46bf1fd4b21f670bed92f3b42ff01ff2ea307c4fdff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/data-layer/src/utils.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 72838, "scanner": "repobility-threat-engine", "fingerprint": "8093da5138a7e12919061f8d2014993ee5e97b4006e17dc896ca49ae4acf34e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8093da5138a7e12919061f8d2014993ee5e97b4006e17dc896ca49ae4acf34e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/hooks/use-filters.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 72837, "scanner": "repobility-threat-engine", "fingerprint": "57a66d8089dbb0f16c0fbc2c99bff20835ea29c668391e3ba302d34ec078a586", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|57a66d8089dbb0f16c0fbc2c99bff20835ea29c668391e3ba302d34ec078a586", "aggregated_count": 2}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 72836, "scanner": "repobility-threat-engine", "fingerprint": "d10c610c984dce4cc09115172db44a50ecb3b5b565dc872d42757f465d4fbef4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d10c610c984dce4cc09115172db44a50ecb3b5b565dc872d42757f465d4fbef4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/utils/validation.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 72835, "scanner": "repobility-threat-engine", "fingerprint": "08d8fb6ccba527f1720c15280ab20d79282019b9477c897d90674592a24adf7d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|08d8fb6ccba527f1720c15280ab20d79282019b9477c897d90674592a24adf7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/content-collections-rule-utils.ts"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 72834, "scanner": "repobility-threat-engine", "fingerprint": "bb3b9008d7034b997e5649c5fee108a2e7b0d04ebcffdb3a476cc6f57ffd46f0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bb3b9008d7034b997e5649c5fee108a2e7b0d04ebcffdb3a476cc6f57ffd46f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/content-collections-helpers.ts"}, "region": {"startLine": 244}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 72833, "scanner": "repobility-threat-engine", "fingerprint": "8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 72829, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 72825, "scanner": "repobility-threat-engine", "fingerprint": "2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0"}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 72821, "scanner": "repobility-threat-engine", "fingerprint": "94d4c4bbc1b92dc0c18edbfab48447eb857950044165d68fd51fafea0222ce4c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|94d4c4bbc1b92dc0c18edbfab48447eb857950044165d68fd51fafea0222ce4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/mcp/route.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 72820, "scanner": "repobility-threat-engine", "fingerprint": "6d638efea05789caff597b5fe788564ae810a6add52e01af7c7e66ad58581866", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6d638efea05789caff597b5fe788564ae810a6add52e01af7c7e66ad58581866", "aggregated_count": 3}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 72819, "scanner": "repobility-threat-engine", "fingerprint": "88c1a860627c2db16af0048d9ffb2101d89b4134a64210c62d3279e69e6cdde5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88c1a860627c2db16af0048d9ffb2101d89b4134a64210c62d3279e69e6cdde5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/lists/lists-page-client.tsx"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 72818, "scanner": "repobility-threat-engine", "fingerprint": "f09e23e9a7d2aef36f04df54d91eab7cbcf04813febf5279bc1bc6e26552896a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f09e23e9a7d2aef36f04df54d91eab7cbcf04813febf5279bc1bc6e26552896a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/lists/[id]/page-states.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 72817, "scanner": "repobility-threat-engine", "fingerprint": "02575fbf064a4364f461991ab216e12f2d2a66c56fbbfbe0dfcbdaf227616562", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|02575fbf064a4364f461991ab216e12f2d2a66c56fbbfbe0dfcbdaf227616562"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/guide/guide-components.tsx"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 72816, "scanner": "repobility-threat-engine", "fingerprint": "0544e6fe05f555556705d7f64dbdc12942be0f7ce56998ffde430121732b8770", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0544e6fe05f555556705d7f64dbdc12942be0f7ce56998ffde430121732b8770", "aggregated_count": 29}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 72815, "scanner": "repobility-threat-engine", "fingerprint": "f0a820e331a66a846b281f328a8d89c2ca34a65612a7e1b017e6fa65a3a0a70b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f0a820e331a66a846b281f328a8d89c2ca34a65612a7e1b017e6fa65a3a0a70b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/content-collections-helpers.ts"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 72814, "scanner": "repobility-threat-engine", "fingerprint": "0c87651ff03ab5bb52e4223073400cf1f837aacbec1827e67e8fce9dab9b5645", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0c87651ff03ab5bb52e4223073400cf1f837aacbec1827e67e8fce9dab9b5645"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/global-error.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 72813, "scanner": "repobility-threat-engine", "fingerprint": "fd6ad87a5db13ea1fa60a5442ea81008007600fdacd7bb69674cabf0871d4585", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd6ad87a5db13ea1fa60a5442ea81008007600fdacd7bb69674cabf0871d4585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/error.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 72812, "scanner": "repobility-threat-engine", "fingerprint": "4b9a4fefd8163e8e417a9cb6780f3315c1f451b1a7ce33528729dad342398819", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4b9a4fefd8163e8e417a9cb6780f3315c1f451b1a7ce33528729dad342398819"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 72808, "scanner": "repobility-threat-engine", "fingerprint": "53d0d55f0ce05bf89db2db74d074a0af0d2e2f55e7abb4083cb8de8c90e785f6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|53d0d55f0ce05bf89db2db74d074a0af0d2e2f55e7abb4083cb8de8c90e785f6", "aggregated_count": 7}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 72807, "scanner": "repobility-threat-engine", "fingerprint": "f36960adff9e7e8f24919e8b22949a8f9ca0015b4e8a5ae6e381486d2145ea57", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f36960adff9e7e8f24919e8b22949a8f9ca0015b4e8a5ae6e381486d2145ea57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/mcp/route.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 72806, "scanner": "repobility-threat-engine", "fingerprint": "5bb2fc63b5dfe14d6c8388978b9a29562fc7f62a31437117d842d8e1d44dc85a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5bb2fc63b5dfe14d6c8388978b9a29562fc7f62a31437117d842d8e1d44dc85a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/(account)/settings/settings-page-client.tsx"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 72805, "scanner": "repobility-threat-engine", "fingerprint": "4c75322e0891327cb1c02094ce13811d7b4716a12e8eb720f674bfc65be5684c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4c75322e0891327cb1c02094ce13811d7b4716a12e8eb720f674bfc65be5684c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/(account)/profile/profile-page-client.tsx"}, "region": {"startLine": 74}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `concurrently` is patch version(s) behind (^10.0.0 -> 10.0.3)"}, "properties": {"repobilityId": 72800, "scanner": "repobility-dependency-currency", "fingerprint": "fba8dec27b7640e59c21ffaefa361c248ac3f98a24f5f1a0aceb56111f2a2163", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "concurrently", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.3", "correlation_key": "fp|fba8dec27b7640e59c21ffaefa361c248ac3f98a24f5f1a0aceb56111f2a2163", "current_version": "^10.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `baseline-browser-mapping` is patch version(s) behind (^2.10.32 -> 2.10.33)"}, "properties": {"repobilityId": 72796, "scanner": "repobility-dependency-currency", "fingerprint": "e0d6ae43b07877637ada6cbf5642fe90f95282fbc2523fff2b6084fbe46ad811", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "baseline-browser-mapping", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.10.33", "correlation_key": "fp|e0d6ae43b07877637ada6cbf5642fe90f95282fbc2523fff2b6084fbe46ad811", "current_version": "^2.10.32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@mdn/browser-compat-data` is patch version(s) behind (^8.0.0 -> 8.0.1)"}, "properties": {"repobilityId": 72795, "scanner": "repobility-dependency-currency", "fingerprint": "62048e1b4be741c56df2c68d8e94a4e6c33792af3a52fd6ab81773f461603d33", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@mdn/browser-compat-data", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.0.1", "correlation_key": "fp|62048e1b4be741c56df2c68d8e94a4e6c33792af3a52fd6ab81773f461603d33", "current_version": "^8.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /checklists/:id/route."}, "properties": {"repobilityId": 72869, "scanner": "repobility-access-control", "fingerprint": "94370e42bdcf82c1ae0efd097ec49e587768f91f2f0837c77eb084c9c6df6791", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/checklists/:id/route", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|apps/web/app/api/checklists/ id /route.ts|76|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/checklists/[id]/route.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /checklists/:id/route."}, "properties": {"repobilityId": 72868, "scanner": "repobility-access-control", "fingerprint": "36528ad24037af3fd21ff71a9e399e9939a448980e5488a2dd847eb9020ac8c6", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/checklists/:id/route", "method": "PATCH", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|apps/web/app/api/checklists/ id /route.ts|22|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/checklists/[id]/route.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED028", "level": "error", "message": {"text": "[MINED028] Ts Ignore Comment: // @ts-ignore silences all type errors on the next line."}, "properties": {"repobilityId": 72856, "scanner": "repobility-threat-engine", "fingerprint": "88c2611a86c531e0f13b062ecb7fd9615e53a1336763a43a21c008c2819c9eb6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-ignore-comment", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347964+00:00", "triaged_in_corpus": 15, "observations_count": 9364, "ai_coder_pattern_id": 99}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88c2611a86c531e0f13b062ecb7fd9615e53a1336763a43a21c008c2819c9eb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/validators/src/validate-types.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 72853, "scanner": "repobility-threat-engine", "fingerprint": "777ee2ef7f436d3f9bc3a8d19d3fa836d0e8440cb97dec29367a67e5dc799974", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((line: string) => `> ${line}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|777ee2ef7f436d3f9bc3a8d19d3fa836d0e8440cb97dec29367a67e5dc799974"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/utils/mdx-to-markdown.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 72852, "scanner": "repobility-threat-engine", "fingerprint": "6c255cf828b6e753885cf18cb2df01b613aedd81a30fb02adebf4e837808b83e", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((i, idx) => `${idx + 1}. ${i.issue}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6c255cf828b6e753885cf18cb2df01b613aedd81a30fb02adebf4e837808b83e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/tools/check-rule.ts"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 72851, "scanner": "repobility-threat-engine", "fingerprint": "2734233eed9696331cc363f8d94c0c9e86a39c5192fdaafcbda22e517fe7fc71", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2734233eed9696331cc363f8d94c0c9e86a39c5192fdaafcbda22e517fe7fc71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/rules/src/load-rules.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 72850, "scanner": "repobility-threat-engine", "fingerprint": "2a62b5b74d8254df362f846d22da16ea6c1bad8ac08091d032b6f7f73300296f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(tag", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2a62b5b74d8254df362f846d22da16ea6c1bad8ac08091d032b6f7f73300296f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/tools/check-rule.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 72849, "scanner": "repobility-threat-engine", "fingerprint": "a81d52fb05eb23f9ad236ca513ec68b8892b318db878304afee6f488a27b0fbd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a81d52fb05eb23f9ad236ca513ec68b8892b318db878304afee6f488a27b0fbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp/src/cli.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 72832, "scanner": "repobility-threat-engine", "fingerprint": "2c25378b9fe79e5061942d317765c5af5fa3562f9cacdc2d3c73a0bc29b2e0aa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "recursionStack.delete(node)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2c25378b9fe79e5061942d317765c5af5fa3562f9cacdc2d3c73a0bc29b2e0aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/validators/src/validate-imports.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 72831, "scanner": "repobility-threat-engine", "fingerprint": "20c88f486ebabc40e1e56a4fbff873db480ec360ab9d6ee8d55fe980bca20553", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "memoryCache.delete(key)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|20c88f486ebabc40e1e56a4fbff873db480ec360ab9d6ee8d55fe980bca20553"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/storage/src/storage-helpers.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 72830, "scanner": "repobility-threat-engine", "fingerprint": "a0ef3abaea1dc9dd2587a998fc6063f770b2966a074b0563720e91233fdd63b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(ruleId)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a0ef3abaea1dc9dd2587a998fc6063f770b2966a074b0563720e91233fdd63b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/components/rules/browser/rules-browser.tsx"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 72828, "scanner": "repobility-threat-engine", "fingerprint": "8e7d37cf6658efdf6828069cadb213f37bf8d0d7c7cd205e5549dfc4d4c436e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(foreground", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8e7d37cf6658efdf6828069cadb213f37bf8d0d7c7cd205e5549dfc4d4c436e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/test-utils/accessibility.tsx"}, "region": {"startLine": 176}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 72827, "scanner": "repobility-threat-engine", "fingerprint": "c0a5224b826c727e12a13be044a8a5ed8465d36eb234889c40dbf48b11c6be5a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(html", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c0a5224b826c727e12a13be044a8a5ed8465d36eb234889c40dbf48b11c6be5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/scripts/x-metadata.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 72826, "scanner": "repobility-threat-engine", "fingerprint": "df1ba7b836736d8323ecb338a66af0b656cda70a62547f9b67515b71712e84c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|df1ba7b836736d8323ecb338a66af0b656cda70a62547f9b67515b71712e84c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/components/mentions/embeds/x-mention-card.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 72811, "scanner": "repobility-threat-engine", "fingerprint": "5e7e8488f4a0f9f22dc299bab66ad88f1b6f69a34052bbcd42c2c113353b3ed9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5e7e8488f4a0f9f22dc299bab66ad88f1b6f69a34052bbcd42c2c113353b3ed9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/mcp/route-helpers.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 72810, "scanner": "repobility-threat-engine", "fingerprint": "943237c89597aa5edb7181b7a63c57dfb3b86e756638ffe7af67ca689b862bc6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|943237c89597aa5edb7181b7a63c57dfb3b86e756638ffe7af67ca689b862bc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/api/fix-suggestion/route.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 72809, "scanner": "repobility-threat-engine", "fingerprint": "de9b04e1bddab7ec10504bfd7a9648e68aa0d838fadd5d443ef2965d3bf258b8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de9b04e1bddab7ec10504bfd7a9648e68aa0d838fadd5d443ef2965d3bf258b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/(site)/(account)/settings/settings-page-client.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72794, "scanner": "repobility-supply-chain", "fingerprint": "cb6761505047c9c4cef9b43ca50d714ee275de95bb1c1ae84fc284a646ff218a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb6761505047c9c4cef9b43ca50d714ee275de95bb1c1ae84fc284a646ff218a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72793, "scanner": "repobility-supply-chain", "fingerprint": "437c3fe4c3631ce1a722e168304df52a6c4b6ae69c6d4115a92605872769c9e9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|437c3fe4c3631ce1a722e168304df52a6c4b6ae69c6d4115a92605872769c9e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72792, "scanner": "repobility-supply-chain", "fingerprint": "e9d8683bc6dd465a520b8d8b196ae5d6f87ee13dcd4832b6591f5ea106146997", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e9d8683bc6dd465a520b8d8b196ae5d6f87ee13dcd4832b6591f5ea106146997"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72791, "scanner": "repobility-supply-chain", "fingerprint": "8e009f1a92951165e2b68dcfcffc979e64b28a747fa82fa56f70968ff9ae01be", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e009f1a92951165e2b68dcfcffc979e64b28a747fa82fa56f70968ff9ae01be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `codecov/codecov-action` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72790, "scanner": "repobility-supply-chain", "fingerprint": "7d6f2c44a1af5ba3fb877df6a2ddbf24fa13d4b22dce2fc02e2a9a3888a50d02", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d6f2c44a1af5ba3fb877df6a2ddbf24fa13d4b22dce2fc02e2a9a3888a50d02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72789, "scanner": "repobility-supply-chain", "fingerprint": "b6483861b4e0c3864bea4cf3bd0201f45df3e02f7a2e76e89ff215d5e0a0cf0d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b6483861b4e0c3864bea4cf3bd0201f45df3e02f7a2e76e89ff215d5e0a0cf0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72788, "scanner": "repobility-supply-chain", "fingerprint": "232634fdbb8af982db9c41ddbae1a03ccb2586b9c9b08dbd05cd8616f11f15e6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|232634fdbb8af982db9c41ddbae1a03ccb2586b9c9b08dbd05cd8616f11f15e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72787, "scanner": "repobility-supply-chain", "fingerprint": "6f70205328fa841ed3dd494643343ded7798d08e2623cc797a2cb2d7ea73a975", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6f70205328fa841ed3dd494643343ded7798d08e2623cc797a2cb2d7ea73a975"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72786, "scanner": "repobility-supply-chain", "fingerprint": "10e0c3ae336169b8b286ab4ba9d96e1bd576938a76d0fef02a019a0898810867", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10e0c3ae336169b8b286ab4ba9d96e1bd576938a76d0fef02a019a0898810867"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72785, "scanner": "repobility-supply-chain", "fingerprint": "d443c0e58d8ec61676774b5517a4b4ce12f9b5c5a838cebec668d4806219f02c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d443c0e58d8ec61676774b5517a4b4ce12f9b5c5a838cebec668d4806219f02c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72784, "scanner": "repobility-supply-chain", "fingerprint": "bc04f9cfccda750e43ec33c0a48ab587549ecdf6df9282247f8daf6bbe64d9bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc04f9cfccda750e43ec33c0a48ab587549ecdf6df9282247f8daf6bbe64d9bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72783, "scanner": "repobility-supply-chain", "fingerprint": "226615aed30572927dfc941db606729626061657788e546ca1d71589f90189e2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|226615aed30572927dfc941db606729626061657788e546ca1d71589f90189e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72782, "scanner": "repobility-supply-chain", "fingerprint": "67745709ee54c50322e7129a94f43ed764825c38ba31a8f72a01be5f59749594", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67745709ee54c50322e7129a94f43ed764825c38ba31a8f72a01be5f59749594"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72781, "scanner": "repobility-supply-chain", "fingerprint": "5b2ba8eca1d8531b3ee24f6b3a28a934ac6321098835891b7b7888f92c23cafd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b2ba8eca1d8531b3ee24f6b3a28a934ac6321098835891b7b7888f92c23cafd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72780, "scanner": "repobility-supply-chain", "fingerprint": "8c757da167ae3ae4d5e06b77cac1c7a3e4818718e0e606ceacebfe107d815a1a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c757da167ae3ae4d5e06b77cac1c7a3e4818718e0e606ceacebfe107d815a1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72779, "scanner": "repobility-supply-chain", "fingerprint": "b60b8a198c267ae13d3f66a3d662d0c6f73f76298e8419dc703e2a38f2782a57", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b60b8a198c267ae13d3f66a3d662d0c6f73f76298e8419dc703e2a38f2782a57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72778, "scanner": "repobility-supply-chain", "fingerprint": "c431647a92c729b90c60453b03f067022ce46949365c183da29de7aef05e8f0f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c431647a92c729b90c60453b03f067022ce46949365c183da29de7aef05e8f0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72777, "scanner": "repobility-supply-chain", "fingerprint": "ccf923add2ff1d90ee23d0773f1afc051bdb66ba35a1fc51d936c0fed96f526f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ccf923add2ff1d90ee23d0773f1afc051bdb66ba35a1fc51d936c0fed96f526f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72776, "scanner": "repobility-supply-chain", "fingerprint": "4812528679b10e654bc23f00a385c8b55eba6e7ff2bb652ebae33b51856b2244", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4812528679b10e654bc23f00a385c8b55eba6e7ff2bb652ebae33b51856b2244"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72775, "scanner": "repobility-supply-chain", "fingerprint": "50132cb16c793c49169bb7af9c0d8d0ccaca0f66d26c40a177b8b0254d2cada8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50132cb16c793c49169bb7af9c0d8d0ccaca0f66d26c40a177b8b0254d2cada8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `treosh/lighthouse-ci-action` pinned to mutable ref `@v11`"}, "properties": {"repobilityId": 72774, "scanner": "repobility-supply-chain", "fingerprint": "5d8c3cd4fa9b074910238c4f12a0a71cd20bf246cf9dff618cbf1e0cec268a6d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d8c3cd4fa9b074910238c4f12a0a71cd20bf246cf9dff618cbf1e0cec268a6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `amondnet/vercel-action` pinned to mutable ref `@v25`"}, "properties": {"repobilityId": 72773, "scanner": "repobility-supply-chain", "fingerprint": "c3cb576588bee7cc813bcc5f246b26b9fc47f319d26c9b9faf05e55c9ef1afb7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3cb576588bee7cc813bcc5f246b26b9fc47f319d26c9b9faf05e55c9ef1afb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72772, "scanner": "repobility-supply-chain", "fingerprint": "1efd7b87eb81960906a472073952edab45fb9dd5a3774d2b5cb024572c25a5b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1efd7b87eb81960906a472073952edab45fb9dd5a3774d2b5cb024572c25a5b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72771, "scanner": "repobility-supply-chain", "fingerprint": "ce4b571083674e6c42e23d95e5e5c328163b5ff5dafb5b69e1b88ccfdf9753ce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce4b571083674e6c42e23d95e5e5c328163b5ff5dafb5b69e1b88ccfdf9753ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 72770, "scanner": "repobility-supply-chain", "fingerprint": "6e36efca8f13bbd8c3c2156cdb2d505e29b10f5394a3975cd5ac1d7987e8fb7d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e36efca8f13bbd8c3c2156cdb2d505e29b10f5394a3975cd5ac1d7987e8fb7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 72863, "scanner": "gitleaks", "fingerprint": "3ccb065c89a7af803ca1764c27b6ea774fcb38bd3ccde34ade6ca1760f5515bd", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "apiKey = '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|3|apikey redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/leaked-secrets/references/rule.md"}, "region": {"startLine": 31}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 72862, "scanner": "gitleaks", "fingerprint": "7156c00b31a029cfaaa2375e61f8071cd272e54b60fc798f6624c60905f88e1d", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "API Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|49|api key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/clean-up-comments/references/rule.md"}, "region": {"startLine": 497}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 72861, "scanner": "gitleaks", "fingerprint": "5ea831e6931225c136d056ec5aee9a31fbe8636889ab2a2f1d0b0149959095ca", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "apiKey = '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|12|apikey redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/content/rules/en/security/leaked-secrets.mdx"}, "region": {"startLine": 121}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 72860, "scanner": "gitleaks", "fingerprint": "f1eec93757cbfc041247b94add2d12ec2215e4e5f4d435c6827261a6b690f1d1", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "API Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|56|api key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/content/rules/en/html/clean-up-comments.mdx"}, "region": {"startLine": 565}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 72855, "scanner": "repobility-threat-engine", "fingerprint": "ecc3d333f346133f9d171854bd9d868f6fa8a3a8c53d7deab30ec01dd7fc4677", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ecc3d333f346133f9d171854bd9d868f6fa8a3a8c53d7deab30ec01dd7fc4677"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/audit/mcp-impact-benchmark.ts"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 72854, "scanner": "repobility-threat-engine", "fingerprint": "2588cbb6e5ba5ef97875a6a3db1958bb6de196179a48322870825402468d58d6", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2588cbb6e5ba5ef97875a6a3db1958bb6de196179a48322870825402468d58d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/validators/src/validate-security.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 72847, "scanner": "repobility-threat-engine", "fingerprint": "579ce368ade222dfb0dcc2bd408b993588e341cf249678742abb9cb6424e0db5", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://user:password@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|1|postgresql://user:password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/auth/prisma.config.ts"}, "region": {"startLine": 4}}}]}]}]}