{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN005", "name": "Compliance or security claim is near a placeholder link", "shortDescription": {"text": "Compliance or security claim is near a placeholder link"}, "fullDescription": {"text": "Link trust claims to current evidence, downgrade unverifiable wording, and replace placeholder footer/legal/security links with real destinations."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Require an explicit isolated profile for auto-approve modes. Keep safe defaults interactive, add visible warnings, and block these modes when the workspace contains secrets or production deploy credentials."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT014", "name": "Codex auth.json is read or copied without visible secret-file hardening", "shortDescription": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "fullDescription": {"text": "Use the platform credential store where possible. If auth files must be touched, enforce 0600 permissions, avoid backups in the repo/workspace, redact logs, and document rotation if the file is exposed."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `generate_daily` has cognitive complexity 18 (SonarSource scale). Cognitiv", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `generate_daily` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursio"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 18."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n const u = new URL(serverUrl, location.href);\n if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every :\n link\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n 1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is functionally equivalent to `a+` for matching purposes.\n 2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in replacement for `re` for most use cases.\n 3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `od` image is selected through a build variable", "shortDescription": {"text": "Compose service `od` image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 4 more): Same pattern found in 4 additional files. ", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 47 more): Same pattern found in 47 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 23 more): Same pattern found in 23 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 38 more): Same pattern found in 38 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 4 more): Same pattern found in 4 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 5 more): Same pattern found in 5 a", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 72 more): Same pattern found in 72 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 72 more): Same pattern found in 72 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n ALLOWED = {'images.example.com', 'cdn.example.com'}\n host = urlparse(url).hostname\n if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 64 more): Same pattern found in 64 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 64 more): Same pattern found in 64 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 23 more): Same pattern found in 23 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `tools/pack/resources/win/7zip/7z.exe` committed in source repo: `tools/pack/resources/win/7zip/7", "shortDescription": {"text": "[MINED134] Binary file `tools/pack/resources/win/7zip/7z.exe` committed in source repo: `tools/pack/resources/win/7zip/7z.exe` is a .exe binary (575,488 bytes) committed to a repo that otherwise has 1865 source files. Trojan binaries inside"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-r", "shortDescription": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025"}, "fullDescription": {"text": "Replace with: `uses: actions/setup-node@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express DELETE /api/projects/:id/folders has no auth: Express route DELETE /api/projects/:id/folders declared", "shortDescription": {"text": "[MINED113] Express DELETE /api/projects/:id/folders has no auth: Express route DELETE /api/projects/:id/folders declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes "}, "fullDescription": {"text": "Add an auth middleware: app.delete('/api/projects/:id/folders', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._spin` used but never assigned in __init__: Method `start` of class `Spinner` reads `self._spin`, but n", "shortDescription": {"text": "[MINED108] `self._spin` used but never assigned in __init__: Method `start` of class `Spinner` reads `self._spin`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the metho"}, "fullDescription": {"text": "Initialize `self._spin = ` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_rejects_traversal_in_input_images_via_main: Test function `test_rejects_traversal", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_rejects_traversal_in_input_images_via_main: Test function `test_rejects_traversal_in_input_images_via_main` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. "}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC111", "name": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Cal", "shortDescription": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "fullDescription": {"text": "Use `django.utils.html.format_html(\"

{}

\", user_input)` \u2014 Django will escape the placeholder. Or escape explicitly with `django.utils.html.escape()`. Only use `mark_safe` on string literals."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC018", "name": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents ", "shortDescription": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, she"}, "fullDescription": {"text": "Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_re", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfil"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `", "shortDescription": {"text": "[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import warnings` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/891"}, "properties": {"repository": "nexu-io/open-design", "repoUrl": "https://github.com/nexu-io/open-design", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82481, "scanner": "repobility-ast-engine", "fingerprint": "32f94e97507206bd4c0443b192d0ea0a9194efc026fbad734d3b03716e4b8f76", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|32f94e97507206bd4c0443b192d0ea0a9194efc026fbad734d3b03716e4b8f76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/pipeline.py"}, "region": {"startLine": 389}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82480, "scanner": "repobility-ast-engine", "fingerprint": "c632ed16b6077be04d2dc64cec479181e0e23e510ba87d30a3231a552a9841b9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c632ed16b6077be04d2dc64cec479181e0e23e510ba87d30a3231a552a9841b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/pipeline.py"}, "region": {"startLine": 922}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82479, "scanner": "repobility-ast-engine", "fingerprint": "901dd585ea2ede387136a64564efaaac25ab4c16edf2eab7e8163094267fd3be", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|901dd585ea2ede387136a64564efaaac25ab4c16edf2eab7e8163094267fd3be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/pipeline.py"}, "region": {"startLine": 887}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82478, "scanner": "repobility-ast-engine", "fingerprint": "f01e36f76b52744a1a5e7e3c17d907b319380f107a9c13746fcecb42e5ee43dc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f01e36f76b52744a1a5e7e3c17d907b319380f107a9c13746fcecb42e5ee43dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/pipeline.py"}, "region": {"startLine": 823}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82477, "scanner": "repobility-ast-engine", "fingerprint": "065aa68a34d880ba77a4a7ec7c30414e34a5ebf4dc3e264a38333175f37d085c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|065aa68a34d880ba77a4a7ec7c30414e34a5ebf4dc3e264a38333175f37d085c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/pipeline.py"}, "region": {"startLine": 365}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82476, "scanner": "repobility-ast-engine", "fingerprint": "c01c4c1af7b81882e66d77236c8586a15307e5de53412ad6fd94ceebdc8bd169", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c01c4c1af7b81882e66d77236c8586a15307e5de53412ad6fd94ceebdc8bd169"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/pipeline.py"}, "region": {"startLine": 867}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82475, "scanner": "repobility-ast-engine", "fingerprint": "c771fef9aa9a91a3918e8f84057cd10d6cd17c50e513f9748b983218422d7e1b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c771fef9aa9a91a3918e8f84057cd10d6cd17c50e513f9748b983218422d7e1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/pipeline.py"}, "region": {"startLine": 697}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82474, "scanner": "repobility-ast-engine", "fingerprint": "e2642a36b662b4c60d149ff48f71001015d0bf7910866d3ba807e5362b4af2fb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e2642a36b662b4c60d149ff48f71001015d0bf7910866d3ba807e5362b4af2fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/pipeline.py"}, "region": {"startLine": 670}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82473, "scanner": "repobility-ast-engine", "fingerprint": "362b9eb23c01b48b4954548470e796dbec3cd11a58d3382adf07aca12f527c8f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|362b9eb23c01b48b4954548470e796dbec3cd11a58d3382adf07aca12f527c8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/pipeline.py"}, "region": {"startLine": 307}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82472, "scanner": "repobility-ast-engine", "fingerprint": "40e80efe1efeaa832c552502c200a06432230f1ba79d6b2a2b3efd332d991142", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|40e80efe1efeaa832c552502c200a06432230f1ba79d6b2a2b3efd332d991142"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/pipeline.py"}, "region": {"startLine": 287}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82470, "scanner": "repobility-ast-engine", "fingerprint": "5cecb82492ada6c9713ed2e50ef8dea00ea79fb884794d8ff05e2b2a74341fdc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5cecb82492ada6c9713ed2e50ef8dea00ea79fb884794d8ff05e2b2a74341fdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/bird_x.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82469, "scanner": "repobility-ast-engine", "fingerprint": "09bdd9fa02105088ed758fbfcc07846c272076a427b2bbef3549dd5f7599ec4c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|09bdd9fa02105088ed758fbfcc07846c272076a427b2bbef3549dd5f7599ec4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/quality_nudge.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82468, "scanner": "repobility-ast-engine", "fingerprint": "b86eb5ce62f5b2f34fb8d0cb955a79c416a36fa2a2e38edba4414993f910eb4f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b86eb5ce62f5b2f34fb8d0cb955a79c416a36fa2a2e38edba4414993f910eb4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/quality_nudge.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82467, "scanner": "repobility-ast-engine", "fingerprint": "92c3ae321878fb07f132c9836aeee845c2eab567eb4f9c5a5b88ded0e5037eaf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|92c3ae321878fb07f132c9836aeee845c2eab567eb4f9c5a5b88ded0e5037eaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/setup_wizard.py"}, "region": {"startLine": 461}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82466, "scanner": "repobility-ast-engine", "fingerprint": "d2effaec1bdd639c2fcbd58fc58bfbebb0b8014f3c09ff151c31591565929ad4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d2effaec1bdd639c2fcbd58fc58bfbebb0b8014f3c09ff151c31591565929ad4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/xurl_x.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82465, "scanner": "repobility-ast-engine", "fingerprint": "851529df80c649cf6507b9e2a8a55411d6d2a5e49476ba55e01c3336ffafbc12", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|851529df80c649cf6507b9e2a8a55411d6d2a5e49476ba55e01c3336ffafbc12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/reddit.py"}, "region": {"startLine": 611}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82464, "scanner": "repobility-ast-engine", "fingerprint": "99461d280a732f3ad2497b804c5cf6739f6a778fc42aa1d74aa3f39e6130fb0d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|99461d280a732f3ad2497b804c5cf6739f6a778fc42aa1d74aa3f39e6130fb0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/env.py"}, "region": {"startLine": 342}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82463, "scanner": "repobility-ast-engine", "fingerprint": "4dda23d5d81420610210deef4ac56f521c16de146522b616e85f8aebb2d5a199", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4dda23d5d81420610210deef4ac56f521c16de146522b616e85f8aebb2d5a199"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/env.py"}, "region": {"startLine": 574}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82462, "scanner": "repobility-ast-engine", "fingerprint": "1f93cf1c7e2d31184994f46c8785c79c5fdf4aeacc3113a04878fd3e8b4a4565", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1f93cf1c7e2d31184994f46c8785c79c5fdf4aeacc3113a04878fd3e8b4a4565"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/reddit_public.py"}, "region": {"startLine": 278}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82461, "scanner": "repobility-ast-engine", "fingerprint": "1737642e2e4c0492cace3f0adaef3fdfc6cd58fbcdf228950790c5c8dfa0e1e8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1737642e2e4c0492cace3f0adaef3fdfc6cd58fbcdf228950790c5c8dfa0e1e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/reddit_public.py"}, "region": {"startLine": 286}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82460, "scanner": "repobility-ast-engine", "fingerprint": "a7c03a191d7b5686086800b3674074f8b58dc70bee132532f836b7a6e346daf9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a7c03a191d7b5686086800b3674074f8b58dc70bee132532f836b7a6e346daf9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/polymarket.py"}, "region": {"startLine": 358}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82459, "scanner": "repobility-ast-engine", "fingerprint": "0e32dc1de2be576de72f0513cbc0f0a27bb272837682804de48e52f37528e873", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0e32dc1de2be576de72f0513cbc0f0a27bb272837682804de48e52f37528e873"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/fanout.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82458, "scanner": "repobility-ast-engine", "fingerprint": "fb1220b1644635c2b303db745f3d562a7f1113dd6a0b625d11f76b6fbe958907", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fb1220b1644635c2b303db745f3d562a7f1113dd6a0b625d11f76b6fbe958907"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/last30days.py"}, "region": {"startLine": 784}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 82457, "scanner": "repobility-ast-engine", "fingerprint": "c3273b4c73f3499ab29edaa6850f2054fa68172ba89bd91f54914468ef32ea2d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c3273b4c73f3499ab29edaa6850f2054fa68172ba89bd91f54914468ef32ea2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/watchlist.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 82440, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN005", "level": "warning", "message": {"text": "Compliance or security claim is near a placeholder link"}, "properties": {"repobilityId": 82435, "scanner": "repobility-journey-contract", "fingerprint": "60dbb83be58781fef41589efadb81b82893d8d420a5b133b199c5d2818dcff59", "category": "quality", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Placeholder link appears near compliance/security claim text.", "evidence": {"rule_id": "JRN005", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|60dbb83be58781fef41589efadb81b82893d8d420a5b133b199c5d2818dcff59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/web-prototype-taste-soft/example.html"}, "region": {"startLine": 529}}}]}, {"ruleId": "JRN005", "level": "warning", "message": {"text": "Compliance or security claim is near a placeholder link"}, "properties": {"repobilityId": 82434, "scanner": "repobility-journey-contract", "fingerprint": "3d2238bac02eb5b073eff823b037667bc1cfee3057314e90a880fbd4fe2ac4c9", "category": "quality", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Placeholder link appears near compliance/security claim text.", "evidence": {"rule_id": "JRN005", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|3d2238bac02eb5b073eff823b037667bc1cfee3057314e90a880fbd4fe2ac4c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/design-system-showcase.ts"}, "region": {"startLine": 369}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 82425, "scanner": "repobility-agent-runtime", "fingerprint": "56eea401e1f712c017815fb96cfea1dc98a89c10516c54c7ccd8d8274c19220e", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|56eea401e1f712c017815fb96cfea1dc98a89c10516c54c7ccd8d8274c19220e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/runtimes/defs/trae-cli.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 82424, "scanner": "repobility-agent-runtime", "fingerprint": "b45e827eeb3a963c29d0bbdfef5682838c3c1659a72a4df4a44595a80a1115b9", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b45e827eeb3a963c29d0bbdfef5682838c3c1659a72a4df4a44595a80a1115b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/runtimes/defs/grok-build.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 82423, "scanner": "repobility-agent-runtime", "fingerprint": "aefd5fabd63a98875b3679e99aba438cfdef6ecf847841fa4d9847d55959d620", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|aefd5fabd63a98875b3679e99aba438cfdef6ecf847841fa4d9847d55959d620"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/runtimes/defs/gemini.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 82422, "scanner": "repobility-agent-runtime", "fingerprint": "4bd0c343bec26ac54cd2e4e357585864b54899360d5bc729ebe8aad95f3bb04f", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|4bd0c343bec26ac54cd2e4e357585864b54899360d5bc729ebe8aad95f3bb04f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/prompts/deck-framework.ts"}, "region": {"startLine": 287}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 82421, "scanner": "repobility-agent-runtime", "fingerprint": "9965b9248e49be25599d3c159456aafad4381272f728065f02eaf64b0f4916d7", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|9965b9248e49be25599d3c159456aafad4381272f728065f02eaf64b0f4916d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 302}}}]}, {"ruleId": "AGT014", "level": "warning", "message": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "properties": {"repobilityId": 82420, "scanner": "repobility-agent-runtime", "fingerprint": "4a45e5214c197dd522ab2a564f348a15db7147a9ea8e229b7242b4209f90ca3d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Codex auth.json or CODEX_HOME with read/copy/write behavior and no visible permission or secure-storage guard.", "evidence": {"rule_id": "AGT014", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|4a45e5214c197dd522ab2a564f348a15db7147a9ea8e229b7242b4209f90ca3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/provision-agent-pr-explore-runner.sh"}, "region": {"startLine": 28}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 82419, "scanner": "repobility-agent-runtime", "fingerprint": "66d49d88312d4733edbe7b5096921857ed3a3b7f2a4c8ca1e1e1a6a8cab48cda", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|66d49d88312d4733edbe7b5096921857ed3a3b7f2a4c8ca1e1e1a6a8cab48cda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/skills/od-contribute/install.sh"}, "region": {"startLine": 10}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `generate_daily` has cognitive complexity 18 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=3, if=6, nested_bonus=6, ternary=2."}, "properties": {"repobilityId": 82390, "scanner": "repobility-threat-engine", "fingerprint": "bc1cc96c13b2dd043d5d7654c03f5076b7388963d966956977cf8e30986608b0", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 18 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "generate_daily", "breakdown": {"if": 6, "for": 3, "except": 1, "ternary": 2, "nested_bonus": 6}, "complexity": 18, "correlation_key": "fp|bc1cc96c13b2dd043d5d7654c03f5076b7388963d966956977cf8e30986608b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/briefing.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 82382, "scanner": "repobility-threat-engine", "fingerprint": "4b890db446cab60b9000bf3cd896282fac80f2f2838f8e7d48fb0ecfa0d8c995", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = entryUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4b890db446cab60b9000bf3cd896282fac80f2f2838f8e7d48fb0ecfa0d8c995"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/SocialShareGrid.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 82381, "scanner": "repobility-threat-engine", "fingerprint": "0eda6c66646d4e163be5dfd9e3e688d447415d4ebcebcb62fb85ddfdbd8b993f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random()*N)|0, b = (Math.random()*N)|0;\n if (a===b) continue;\n const key", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0eda6c66646d4e163be5dfd9e3e688d447415d4ebcebcb62fb85ddfdbd8b993f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/html-ppt/assets/animations/fx/knowledge-graph.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 82380, "scanner": "repobility-threat-engine", "fingerprint": "72ee9b59267569495af6ab06e5e18e94020c58b9f0dba66559fc5c5fcee02761", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(2, 10)}`;\n}\n\nexport function Priv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|72ee9b59267569495af6ab06e5e18e94020c58b9f0dba66559fc5c5fcee02761"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/PrivacySection.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 82379, "scanner": "repobility-threat-engine", "fingerprint": "feb4433b397c923742f469cbaf77aab74171eaf6ef7204a48d33e72467f6eb50", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open('about:blank', '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|67|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/SocialShareGrid.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 82378, "scanner": "repobility-threat-engine", "fingerprint": "b597b488ae5ac32587f7925fec1d92f5f10b1be86238f81e3f6b9097374a1d72", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(\n attributedAmrUrl(AMR_RECHARGE_URL, attribution)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|195|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/GenerationPreviewStage.tsx"}, "region": {"startLine": 195}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 82366, "scanner": "repobility-threat-engine", "fingerprint": "b85368520acaa771d18e20900d0ed86b70bef751bbee34818877371e7e815a8c", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`\\\\b${key}\\\\s*:\\\\s*([^,)]+)`, 'u'));\n if (!match) return null;\n return evalSwiftNumber(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b85368520acaa771d18e20900d0ed86b70bef751bbee34818877371e7e815a8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/swift-colors.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 82342, "scanner": "repobility-threat-engine", "fingerprint": "718f6dd78011cc73b8c9541ea8950258d71d74f9630397f1c10544e735886a21", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|718f6dd78011cc73b8c9541ea8950258d71d74f9630397f1c10544e735886a21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/document-preview.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 82341, "scanner": "repobility-threat-engine", "fingerprint": "3a9c3e9df4e431dfe7f0a9fa981d28ce0c5f69489a9ab6a47f4ffc148458ddb8", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3a9c3e9df4e431dfe7f0a9fa981d28ce0c5f69489a9ab6a47f4ffc148458ddb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/critique/artifact-writer.ts"}, "region": {"startLine": 121}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 82340, "scanner": "repobility-threat-engine", "fingerprint": "5c1b2a0ce7807fc366d2f77b7a73e77b160768f398e4d2dd41871a834b6e9b6c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5c1b2a0ce7807fc366d2f77b7a73e77b160768f398e4d2dd41871a834b6e9b6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/critique/artifact-handler.ts"}, "region": {"startLine": 208}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 82328, "scanner": "repobility-threat-engine", "fingerprint": "f29ddf14b2cdfaa8fff8b34eb8c0c3f00c9296b41c2749a4dd8d9ba2c61a4682", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|164|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/design-system-source-context.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 82327, "scanner": "repobility-threat-engine", "fingerprint": "0c81199ed7f16f3acc3b52db3d1149f70cdbbfc55119ba7aa5d51727835b711b", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|175|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/critique/persistence.ts"}, "region": {"startLine": 175}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 82326, "scanner": "repobility-threat-engine", "fingerprint": "0a666ee69510bb5965546c99493697bb178159549e3e940d61a2fe719728d369", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|16|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/automation-routine-evolution.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 82298, "scanner": "repobility-threat-engine", "fingerprint": "5465538ebeb6b6ebc847d223cb177c616e0dd60c818d7b4cbb17e80c0a39eca0", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.9 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD=\"\"", "reason": "Low entropy value (3.9 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|. token|10|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/release/build-mac.sh"}, "region": {"startLine": 106}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 82439, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 82438, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 82437, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 82432, "scanner": "repobility-docker", "fingerprint": "0aa8d43954e8ef0d5619b1895ef00b9f0161415bc2f014efb5da567a516c1f18", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "od", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0aa8d43954e8ef0d5619b1895ef00b9f0161415bc2f014efb5da567a516c1f18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/pack/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 82431, "scanner": "repobility-docker", "fingerprint": "416bba307cc1f4090dadd681b9c5586831653040d07bf04426b15302fd9b4666", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "od", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|416bba307cc1f4090dadd681b9c5586831653040d07bf04426b15302fd9b4666"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/pack/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 82428, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82418, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c17138f41ca7f05c152908f51133f394564cad8e93da5f0eb8bfc848c479ed4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/integrations/vela.ts", "duplicate_line": 43, "correlation_key": "fp|6c17138f41ca7f05c152908f51133f394564cad8e93da5f0eb8bfc848c479ed4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/analytics/amr-attribution.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82417, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2f6120232143787a495cd0edac3e43d6c1d38029ffeb38c5c9737afb60d489c7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/sidecar/server.ts", "duplicate_line": 52, "correlation_key": "fp|2f6120232143787a495cd0edac3e43d6c1d38029ffeb38c5c9737afb60d489c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/sidecar/server.ts"}, "region": {"startLine": 553}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82416, "scanner": "repobility-ai-code-hygiene", "fingerprint": "17fa08bfc41d349574cf1e07f44fc2a75d922fd38aafc88251a06343a1fbf455", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/next.config.ts", "duplicate_line": 78, "correlation_key": "fp|17fa08bfc41d349574cf1e07f44fc2a75d922fd38aafc88251a06343a1fbf455"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/sidecar/server.ts"}, "region": {"startLine": 290}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82415, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7ebd26cd43972bfbd4bb2a7468cd0ef49046bd62a47533de9a41776d80e326e8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/packaged/src/headless.ts", "duplicate_line": 66, "correlation_key": "fp|7ebd26cd43972bfbd4bb2a7468cd0ef49046bd62a47533de9a41776d80e326e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/packaged/src/index.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82414, "scanner": "repobility-ai-code-hygiene", "fingerprint": "527392db9f25d53d4e7784e8dcf50fa4b7b4bfe362689d908b001e9aa7a8a44f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/landing-page/scripts/blog-indexing/post-feishu-digest.ts", "duplicate_line": 5, "correlation_key": "fp|527392db9f25d53d4e7784e8dcf50fa4b7b4bfe362689d908b001e9aa7a8a44f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/landing-page/scripts/blog-indexing/report-3day.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82413, "scanner": "repobility-ai-code-hygiene", "fingerprint": "64d89140c4c7ec3836a6f4cb2238aac99e9983d4d4a275ff60826fe86c7c5530", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/landing-page/scripts/blog-indexing/inspect-urls.ts", "duplicate_line": 3, "correlation_key": "fp|64d89140c4c7ec3836a6f4cb2238aac99e9983d4d4a275ff60826fe86c7c5530"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/landing-page/scripts/blog-indexing/query-search-analytics.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82412, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39c858c2cd07dcd9f1bb71dfc2d4f6478a2cd0c56fdc515ca15ddde82de0d6ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/landing-page/scripts/blog-indexing/escalate-low-traffic.ts", "duplicate_line": 4, "correlation_key": "fp|39c858c2cd07dcd9f1bb71dfc2d4f6478a2cd0c56fdc515ca15ddde82de0d6ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/landing-page/scripts/blog-indexing/escalate-stalls.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82411, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9abd1fc3314a61ea4807fe6b3bf4fbdcfafbf8ba4203917a9e5fec143f823862", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/sidecar/server.ts", "duplicate_line": 52, "correlation_key": "fp|9abd1fc3314a61ea4807fe6b3bf4fbdcfafbf8ba4203917a9e5fec143f823862"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/index.ts"}, "region": {"startLine": 90}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82410, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6435ce467d6d8a34156b4c83e4bc6e953744e5f28ffa29d6c0d52c666aa97fba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/mcp-tokens.ts", "duplicate_line": 42, "correlation_key": "fp|6435ce467d6d8a34156b4c83e4bc6e953744e5f28ffa29d6c0d52c666aa97fba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/xai-tokens.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82409, "scanner": "repobility-ai-code-hygiene", "fingerprint": "53aa088a577a1a7de0345f76b6d70d658ba6d3f9356e1bfd338d6b059c025151", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/finalize-design.ts", "duplicate_line": 285, "correlation_key": "fp|53aa088a577a1a7de0345f76b6d70d658ba6d3f9356e1bfd338d6b059c025151"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/transcript-export.ts"}, "region": {"startLine": 188}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82408, "scanner": "repobility-ai-code-hygiene", "fingerprint": "992b15ed9ce12ae61f35e0f93e5252d7a2b92c1df5fc72e5029e9ce297b5390d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/connectors/service.ts", "duplicate_line": 234, "correlation_key": "fp|992b15ed9ce12ae61f35e0f93e5252d7a2b92c1df5fc72e5029e9ce297b5390d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/tools/connectors.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82407, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5d7d2ed9c59c30481431d38c4e1226e758dc18bde5e5acdd6c1d92c6502cb901", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/mcp-live-artifacts-server.ts", "duplicate_line": 129, "correlation_key": "fp|5d7d2ed9c59c30481431d38c4e1226e758dc18bde5e5acdd6c1d92c6502cb901"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/tools-live-artifacts-cli.ts"}, "region": {"startLine": 146}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82406, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f812b5064170d816f1801a5828ee0b731b18c2158a753c45381509bea0a5edb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/tools-design-systems-cli.ts", "duplicate_line": 20, "correlation_key": "fp|4f812b5064170d816f1801a5828ee0b731b18c2158a753c45381509bea0a5edb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/tools-live-artifacts-cli.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82405, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b68fc0cab5bdc32091c3ee51a943c0d59b121b2777bee1226a6a63987dbb79c5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/mcp-live-artifacts-server.ts", "duplicate_line": 129, "correlation_key": "fp|b68fc0cab5bdc32091c3ee51a943c0d59b121b2777bee1226a6a63987dbb79c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/tools-design-systems-cli.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82404, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b3732a85eac0e1ab570de363936ab37e473ac8f5be2b8453d9a7002810c0f69d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/runtimes/defs/codex.ts", "duplicate_line": 78, "correlation_key": "fp|b3732a85eac0e1ab570de363936ab37e473ac8f5be2b8453d9a7002810c0f69d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/runtimes/defs/pi.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82403, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f03bbdc0046afa03f5c669c02006908233b349ec25705e0280de4b9d1e0af1ff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/runtimes/defs/kilo.ts", "duplicate_line": 7, "correlation_key": "fp|f03bbdc0046afa03f5c669c02006908233b349ec25705e0280de4b9d1e0af1ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/runtimes/defs/kiro.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82402, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4fdde39ae14a2fdce84cfc765184d7199a13260af31161ca782dd4dbdbdf75cc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/connectors/service.ts", "duplicate_line": 410, "correlation_key": "fp|4fdde39ae14a2fdce84cfc765184d7199a13260af31161ca782dd4dbdbdf75cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/live-artifacts/schema.ts"}, "region": {"startLine": 160}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82401, "scanner": "repobility-ai-code-hygiene", "fingerprint": "87c6ccd243c6733047bca31a5f16e5061dddeb0c9dc8fe1f6311e1b451e03a45", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/design-system-preview.ts", "duplicate_line": 277, "correlation_key": "fp|87c6ccd243c6733047bca31a5f16e5061dddeb0c9dc8fe1f6311e1b451e03a45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/design-system-showcase.ts"}, "region": {"startLine": 574}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82400, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72b3d0018bac3bdba86fa93902fcd0889f9b87b4df5c9b8e9d7603b7cadfc827", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/critique/artifact-handler.ts", "duplicate_line": 21, "correlation_key": "fp|72b3d0018bac3bdba86fa93902fcd0889f9b87b4df5c9b8e9d7603b7cadfc827"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/critique/interrupt-handler.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82399, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a5976f7cc729547f77dfdac1c99eb2f397af800b59c2624729d78f1faee595e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/src/claude-stream.ts", "duplicate_line": 47, "correlation_key": "fp|a5976f7cc729547f77dfdac1c99eb2f397af800b59c2624729d78f1faee595e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/copilot-stream.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82398, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a801a45e63efe7ee91391bdbe4a41bb5d1a264859851bd3200e3607428015a95", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/scripts/release/r2/publish-beta-metadata.ts", "duplicate_line": 23, "correlation_key": "fp|a801a45e63efe7ee91391bdbe4a41bb5d1a264859851bd3200e3607428015a95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/release/r2/verify-beta-metadata.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 82397, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7e1adbec410a8b7baff22e142536d044c3ffbe4827ce5c133c50bdcc86a7c84", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/scripts/release/r2/publish-beta-metadata.ts", "duplicate_line": 22, "correlation_key": "fp|f7e1adbec410a8b7baff22e142536d044c3ffbe4827ce5c133c50bdcc86a7c84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/release/r2/publish-platform.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 82396, "scanner": "repobility-ai-code-hygiene", "fingerprint": "302dee9cebae315540c5147bcf33e43ca2e6ccac230629700dbd7af0cbaa9b19", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "copy", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|302dee9cebae315540c5147bcf33e43ca2e6ccac230629700dbd7af0cbaa9b19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/landing-page/app/_lib/home-copy.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `compose_from_source_atlas` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=2, if=3, nested_bonus=3."}, "properties": {"repobilityId": 82392, "scanner": "repobility-threat-engine", "fingerprint": "08a4c79692cef02773b03663a8961d032c184cac793f42d62a8523d68a384239", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "compose_from_source_atlas", "breakdown": {"if": 3, "for": 2, "nested_bonus": 3}, "complexity": 8, "correlation_key": "fp|08a4c79692cef02773b03663a8961d032c184cac793f42d62a8523d68a384239"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/compose_atlas.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `generate_weekly` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, else=1, for=1, if=3, nested_bonus=4, ternary=1."}, "properties": {"repobilityId": 82391, "scanner": "repobility-threat-engine", "fingerprint": "784929056e13e06fc7f7cd8a6bb7d50f811d4b0a2aca8c87e211b218e2c860ee", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "generate_weekly", "breakdown": {"if": 3, "for": 1, "else": 1, "ternary": 1, "continue": 1, "nested_bonus": 4}, "complexity": 11, "correlation_key": "fp|784929056e13e06fc7f7cd8a6bb7d50f811d4b0a2aca8c87e211b218e2c860ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/briefing.py"}, "region": {"startLine": 142}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 82383, "scanner": "repobility-threat-engine", "fingerprint": "839cb32a9591592105f73b2ba41eb1eeaa7b6923162de1aa039d92f960ac0595", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = s", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|123|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/edit-mode/source-patches.ts"}, "region": {"startLine": 123}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `od` image is selected through a build variable"}, "properties": {"repobilityId": 82430, "scanner": "repobility-docker", "fingerprint": "dd0587bc73d3ab51c2d1dcbfdfb669779ac5257ac3375e31da687d6431a09123", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${OD_IMAGE:-ghcr.io/open-design/od:edge}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|dd0587bc73d3ab51c2d1dcbfdfb669779ac5257ac3375e31da687d6431a09123"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/pack/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `open-design` image is selected through a build variable"}, "properties": {"repobilityId": 82429, "scanner": "repobility-docker", "fingerprint": "02c17f40c9490287d148acba099d650d7bc2ca8bebbcae2ebea181d17a5d0ce9", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${OPEN_DESIGN_IMAGE:-docker.io/vanjayak/open-design:latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|02c17f40c9490287d148acba099d650d7bc2ca8bebbcae2ebea181d17a5d0ce9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 82427, "scanner": "repobility-docker", "fingerprint": "49f0f44a8e4dcd4a58c145b7d9bac83243e147736baab133318b31a6914bc74b", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${RUNTIME_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|49f0f44a8e4dcd4a58c145b7d9bac83243e147736baab133318b31a6914bc74b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/Dockerfile"}, "region": {"startLine": 81}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 82426, "scanner": "repobility-docker", "fingerprint": "cffd02adf444e7da00beb5870706b45f865c2a29358c6bc1febb795697c396c6", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${NODE_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|cffd02adf444e7da00beb5870706b45f865c2a29358c6bc1febb795697c396c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 82395, "scanner": "repobility-threat-engine", "fingerprint": "120f091b1b7a443cf7f2f0791356979c09a96f14953db4983a9cd4165d07c781", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|120f091b1b7a443cf7f2f0791356979c09a96f14953db4983a9cd4165d07c781"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/watchlist.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 82393, "scanner": "repobility-threat-engine", "fingerprint": "ea7e91dd5c7e64706a198254e066b520737d0337b0e2613fa045355b61c46188", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "generate_daily", "breakdown": {"if": 6, "for": 3, "except": 1, "ternary": 2, "nested_bonus": 6}, "aggregated": true, "complexity": 18, "correlation_key": "fp|ea7e91dd5c7e64706a198254e066b520737d0337b0e2613fa045355b61c46188", "aggregated_count": 12}}}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 82389, "scanner": "repobility-threat-engine", "fingerprint": "bdd0ac40cfc085cae7e09d8a963f8e169f95f66106f759bddf0cbcf3c66a5f59", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bdd0ac40cfc085cae7e09d8a963f8e169f95f66106f759bddf0cbcf3c66a5f59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/html-ppt/assets/animations/fx-runtime.js"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 82388, "scanner": "repobility-threat-engine", "fingerprint": "a1bb6273fbdc514ec53143946386dbdf16802c8fad0fe59f75dea80ba84c286d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a1bb6273fbdc514ec53143946386dbdf16802c8fad0fe59f75dea80ba84c286d"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 82377, "scanner": "repobility-threat-engine", "fingerprint": "e7e63c33ff9741b9255e12b891dfdd33da4fc4e63b4b047c2060ec0d0f566034", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e7e63c33ff9741b9255e12b891dfdd33da4fc4e63b4b047c2060ec0d0f566034"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/plugins-home/cards/DesignSystemSurface.tsx"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 82376, "scanner": "repobility-threat-engine", "fingerprint": "1c7a46ee7315776a101887342b81adc04eca83df18ca3f5e7daffa56fa53e574", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1c7a46ee7315776a101887342b81adc04eca83df18ca3f5e7daffa56fa53e574"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/PaletteTweaks.tsx"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 82375, "scanner": "repobility-threat-engine", "fingerprint": "fe13d8eae2624dd7f5a5570eaf390f38137889d5176e93ad7dfcf68eedd719f0", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'spec\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe13d8eae2624dd7f5a5570eaf390f38137889d5176e93ad7dfcf68eedd719f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/DesignSpecView.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 82374, "scanner": "repobility-threat-engine", "fingerprint": "9748522fadd8b7fde923004ad690634d9adc14acbd809a31cb13f96a59be0eb7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9748522fadd8b7fde923004ad690634d9adc14acbd809a31cb13f96a59be0eb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/layout.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 82373, "scanner": "repobility-threat-engine", "fingerprint": "8c8c5be72400c3497265d46551287c6deabf9e449114baf073a6deb05ac8bb8d", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b|mock|fixture|spec\\b' detected on same line", "evidence": {"match": "'color-mix(in srgb, '+a+' 86%, var(--text-strong))'", "reason": "Safe pattern 'test\\b|mock|fixture|spec\\b' detected on same line", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|8c8c5be72400c3497265d46551287c6deabf9e449114baf073a6deb05ac8bb8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/app/layout.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 82371, "scanner": "repobility-threat-engine", "fingerprint": "3491c3ce195f5fc38cf91d4a94335ce9d6a115014e93d5489c0b9969d67e17bb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3491c3ce195f5fc38cf91d4a94335ce9d6a115014e93d5489c0b9969d67e17bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check-design-system-flag-parity.ts"}, "region": {"startLine": 228}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 82370, "scanner": "repobility-threat-engine", "fingerprint": "d35c0ed44af0287bf18016972d81acaba239fdff8e58807143bb229455747535", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'fixture' detected on same line", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d35c0ed44af0287bf18016972d81acaba239fdff8e58807143bb229455747535"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check-components-fixtures.ts"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 82369, "scanner": "repobility-threat-engine", "fingerprint": "a7d68f6bcc71ec336c63096d738203bb74b86f21d0ed6b595edd8b5ff823cfae", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a7d68f6bcc71ec336c63096d738203bb74b86f21d0ed6b595edd8b5ff823cfae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/landing-page/scripts/blog-indexing/authorize-gsc-oauth.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 82368, "scanner": "repobility-threat-engine", "fingerprint": "3fda332983ea95e232be647c4c23f2f52d1e52325947b612d157205cc03f503d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3fda332983ea95e232be647c4c23f2f52d1e52325947b612d157205cc03f503d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/landing-page/functions/subscribe.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 82367, "scanner": "repobility-threat-engine", "fingerprint": "78c5f555c443c87f60a8f2fa922a30ff2b82f3da1b2fe11cbf0cccd711910a75", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78c5f555c443c87f60a8f2fa922a30ff2b82f3da1b2fe11cbf0cccd711910a75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/landing-page/app/solutions-index-i18n.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 82365, "scanner": "repobility-threat-engine", "fingerprint": "57a66d8089dbb0f16c0fbc2c99bff20835ea29c668391e3ba302d34ec078a586", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|57a66d8089dbb0f16c0fbc2c99bff20835ea29c668391e3ba302d34ec078a586", "aggregated_count": 2}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 82364, "scanner": "repobility-threat-engine", "fingerprint": "6eec22960391a51f7ada516f6f1855878cff6f7d5214ab6b20a0da861a5c2cc2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6eec22960391a51f7ada516f6f1855878cff6f7d5214ab6b20a0da861a5c2cc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/routes/live-artifact.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 82363, "scanner": "repobility-threat-engine", "fingerprint": "d246852494df649d8085184469285d83398b417d29660d2e9c381ac8561458bb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d246852494df649d8085184469285d83398b417d29660d2e9c381ac8561458bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/routes/handoff.ts"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 82362, "scanner": "repobility-threat-engine", "fingerprint": "7018b127c8b9b44eadfa2b41620a074e45a9c9d6c119222f1096fe4fd721fb48", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7018b127c8b9b44eadfa2b41620a074e45a9c9d6c119222f1096fe4fd721fb48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/routes/deploy.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 82361, "scanner": "repobility-threat-engine", "fingerprint": "bc129f2192361c1cda8f5b32a77a57cd4e6101bf622fd0ba4e727442c6a135b6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bc129f2192361c1cda8f5b32a77a57cd4e6101bf622fd0ba4e727442c6a135b6"}}}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 82353, "scanner": "repobility-threat-engine", "fingerprint": "5ea93a360a8cab85a8d84c16b8abd4011577f63034e9418c2f34325efcb60c82", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5ea93a360a8cab85a8d84c16b8abd4011577f63034e9418c2f34325efcb60c82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/prompts/panel.ts"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 82352, "scanner": "repobility-threat-engine", "fingerprint": "1f86c58ef9b62a950766a78159a52ade178ec91dbcf68b6e9e94ab67edc649ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1f86c58ef9b62a950766a78159a52ade178ec91dbcf68b6e9e94ab67edc649ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/plugins/atoms.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 82351, "scanner": "repobility-threat-engine", "fingerprint": "133d0321df668823d68fda7a262cc53d13053f2174d79a753e1fabffb7f20eec", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|133d0321df668823d68fda7a262cc53d13053f2174d79a753e1fabffb7f20eec", "aggregated_count": 4}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 82350, "scanner": "repobility-threat-engine", "fingerprint": "a0e9a811e52b062385a47133eeff36125e1d6e136b1aefbe09a06bfec413fb8f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a0e9a811e52b062385a47133eeff36125e1d6e136b1aefbe09a06bfec413fb8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/xai-oauth.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 82349, "scanner": "repobility-threat-engine", "fingerprint": "43ada9df81697fdf67d93f7db003af2b3aaa36b25bb1c6297c7bc4cbdb415d3f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|43ada9df81697fdf67d93f7db003af2b3aaa36b25bb1c6297c7bc4cbdb415d3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/xai-oauth-server.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 82348, "scanner": "repobility-threat-engine", "fingerprint": "41828a11f146876226add55e49a2647657febf0509f2012f5337032a5d892d2b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41828a11f146876226add55e49a2647657febf0509f2012f5337032a5d892d2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/origin-validation.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "properties": {"repobilityId": 82347, "scanner": "repobility-threat-engine", "fingerprint": "9ff29688365d7a1b29fad589162cf862a45f8f595399e6838a585c35051db6fb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 47 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9ff29688365d7a1b29fad589162cf862a45f8f595399e6838a585c35051db6fb", "aggregated_count": 47}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 82346, "scanner": "repobility-threat-engine", "fingerprint": "dbbf77ea27cc65fe5b8c435da92e730b7497a29c88d087bd2cab943d3c31ba21", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dbbf77ea27cc65fe5b8c435da92e730b7497a29c88d087bd2cab943d3c31ba21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/media-adapters/video.ts"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 82345, "scanner": "repobility-threat-engine", "fingerprint": "f96f220b9f9c299fd103da2968dc9a31f0178346f42bd5f4a2e0485c078cc0bf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f96f220b9f9c299fd103da2968dc9a31f0178346f42bd5f4a2e0485c078cc0bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/mcp-tokens.ts"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 82344, "scanner": "repobility-threat-engine", "fingerprint": "96d2830c9521dcafa66520fae5ef233d864e34d26806c17eb53ae9dfebbc320c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96d2830c9521dcafa66520fae5ef233d864e34d26806c17eb53ae9dfebbc320c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/document-preview.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 82343, "scanner": "repobility-threat-engine", "fingerprint": "42b331c1e4b17f85d81db72d75262314338abed6e5bfedff208d2157846ef882", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|42b331c1e4b17f85d81db72d75262314338abed6e5bfedff208d2157846ef882"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 82339, "scanner": "repobility-threat-engine", "fingerprint": "c941bd302564b8021d1b08d0d65e00df707db3d224fb906fed7262043f3e5cb6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c941bd302564b8021d1b08d0d65e00df707db3d224fb906fed7262043f3e5cb6"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "properties": {"repobilityId": 82333, "scanner": "repobility-threat-engine", "fingerprint": "be336c696c982cf7b59cd86163453e0ad9ee30a4dfd16bd9205d0e84ac4d16b4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 38 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 38 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|be336c696c982cf7b59cd86163453e0ad9ee30a4dfd16bd9205d0e84ac4d16b4"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 41 more): Same pattern found in 41 additional files. Review if needed."}, "properties": {"repobilityId": 82329, "scanner": "repobility-threat-engine", "fingerprint": "02beee41be13737ea53f68ab1916845103d7d11e76c93401dcfacc970443ae2b", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 41 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 41 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|02beee41be13737ea53f68ab1916845103d7d11e76c93401dcfacc970443ae2b"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 82325, "scanner": "repobility-threat-engine", "fingerprint": "9d09085a62f5d2dbdd36535f5fd5dba87bc903f20f48c46050db095c0a21fb0a", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9d09085a62f5d2dbdd36535f5fd5dba87bc903f20f48c46050db095c0a21fb0a"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 82324, "scanner": "repobility-threat-engine", "fingerprint": "c5b7070f704f80d9d256465b845bf13bcfa3e4dd03b49b4e89b5050b423fb709", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token / eventid .ts|76|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/landing-page/functions/share/[eventId].ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 82323, "scanner": "repobility-threat-engine", "fingerprint": "a1bc21364d7940f59779927fa3e217c4a558cae7660e567f027f669748eb71f8", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token / eventid .ts|109|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/landing-page/functions/share-out/[eventId].ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 82322, "scanner": "repobility-threat-engine", "fingerprint": "6485a6449202418349f8ce69c90eed88562519a4ba15359de0892f5c165d1415", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|266|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/analytics.ts"}, "region": {"startLine": 266}}}]}, {"ruleId": "SEC114", "level": "none", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 82321, "scanner": "repobility-threat-engine", "fingerprint": "812c1c0c1b9f86ff999179f5f0f257bed61ae320c1600ec91c87e434cce67f0a", "category": "path_traversal", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|812c1c0c1b9f86ff999179f5f0f257bed61ae320c1600ec91c87e434cce67f0a"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 82317, "scanner": "repobility-threat-engine", "fingerprint": "9ecf0ec1c66149fd23ea4aae81bc9618aef49678ec2ff71cb7e64aef00d5c03a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9ecf0ec1c66149fd23ea4aae81bc9618aef49678ec2ff71cb7e64aef00d5c03a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/runtime/shiki.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 82316, "scanner": "repobility-threat-engine", "fingerprint": "bc337421893df8e6745a6c19c91fa0140a1c58defbfab92d50f20a92b0f1722f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bc337421893df8e6745a6c19c91fa0140a1c58defbfab92d50f20a92b0f1722f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/route-registration-guard.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 82315, "scanner": "repobility-threat-engine", "fingerprint": "05bb762f22305cdcd47712465901c6594a79150fd77c53c9b5df2edec71a4fcf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|05bb762f22305cdcd47712465901c6594a79150fd77c53c9b5df2edec71a4fcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/aihubmix.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 82314, "scanner": "repobility-threat-engine", "fingerprint": "f78a027198e35a77dc3724085af14f3428895c5a442fbee6f443ad49b554c980", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f78a027198e35a77dc3724085af14f3428895c5a442fbee6f443ad49b554c980"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 82313, "scanner": "repobility-threat-engine", "fingerprint": "c6f6e790351ba626c4409823da11566bf3c234019c03b65c22b63672bcd3908a", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.warn(\"newsletter_resend_unset: RESEND_API_KEY missing; skipped Resend, KV only\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|15|console.warn newsletter_resend_unset: resend_api_key missing skipped resend kv only"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/landing-page/functions/subscribe.ts"}, "region": {"startLine": 158}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 82312, "scanner": "repobility-threat-engine", "fingerprint": "1058e25839db540b1c7602c67cead27b2d25de03f7cb26f61bf6b2beb5b1dda0", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error('[xai-tokens] Corrupted JSON, returning empty:', e.message)", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|10|console.error xai-tokens corrupted json returning empty: e.message"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/xai-tokens.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 82311, "scanner": "repobility-threat-engine", "fingerprint": "619c742b0fe923b1716a8e88c19b336628901cd2e66469aacafaf2f1f6b6b9e3", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error('[mcp-tokens] Corrupted JSON, returning empty:', e.message)", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|15|console.error mcp-tokens corrupted json returning empty: e.message"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/mcp-tokens.ts"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 72 more): Same pattern found in 72 additional files. Review if needed."}, "properties": {"repobilityId": 82310, "scanner": "repobility-threat-engine", "fingerprint": "1e7e9172f9bcfa2fc6630fde4af88765eb53365a06ad56c69212495859ee7a91", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 72 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 72 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1e7e9172f9bcfa2fc6630fde4af88765eb53365a06ad56c69212495859ee7a91"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 64 more): Same pattern found in 64 additional files. Review if needed."}, "properties": {"repobilityId": 82306, "scanner": "repobility-threat-engine", "fingerprint": "0053b5d9f4dc69b09e568e885f9d0906d2e490f422b43d51e27ae29bec667001", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 64 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0053b5d9f4dc69b09e568e885f9d0906d2e490f422b43d51e27ae29bec667001", "aggregated_count": 64}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 82305, "scanner": "repobility-threat-engine", "fingerprint": "4f0a09af144aa15f77fe9475b4a1a76520e6fe5277dfd4584f589d2e533c5fe1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f0a09af144aa15f77fe9475b4a1a76520e6fe5277dfd4584f589d2e533c5fe1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/release/r2/publish-platform.ts"}, "region": {"startLine": 344}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 82304, "scanner": "repobility-threat-engine", "fingerprint": "1691700979dff63c6ea41e1d1b551a5d6f52ffb69ee4868c14dc119573a9425c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1691700979dff63c6ea41e1d1b551a5d6f52ffb69ee4868c14dc119573a9425c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/release/r2/publish-beta-metadata.ts"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 82303, "scanner": "repobility-threat-engine", "fingerprint": "f646b3e31b68ff1d9eb3a2e67ff10e985ee986fa420195631939e89af9b5c471", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f646b3e31b68ff1d9eb3a2e67ff10e985ee986fa420195631939e89af9b5c471"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/release/feishu/notify.ts"}, "region": {"startLine": 176}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 82302, "scanner": "repobility-threat-engine", "fingerprint": "1231d1568fe46b0359a9552e6f5b0080c104928e5ddbfe51869a88207b0f7e54", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1231d1568fe46b0359a9552e6f5b0080c104928e5ddbfe51869a88207b0f7e54"}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `tools/pack/resources/win/7zip/7z.exe` committed in source repo: `tools/pack/resources/win/7zip/7z.exe` is a .exe binary (575,488 bytes) committed to a repo that otherwise has 1865 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 82538, "scanner": "repobility-supply-chain", "fingerprint": "32aa7fdd45cb5739f613cb1671d02f0b14d89fa875cabb186e3236354a8addba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|32aa7fdd45cb5739f613cb1671d02f0b14d89fa875cabb186e3236354a8addba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/pack/resources/win/7zip/7z.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `tools/pack/resources/win/7zip/7z.dll` committed in source repo: `tools/pack/resources/win/7zip/7z.dll` is a .dll binary (1,908,736 bytes) committed to a repo that otherwise has 1865 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 82537, "scanner": "repobility-supply-chain", "fingerprint": "464053ae5f5dd8405620e52e927dea35e7268a478f27002915d2e47b0abe13bd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|464053ae5f5dd8405620e52e927dea35e7268a478f27002915d2e47b0abe13bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/pack/resources/win/7zip/7z.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82536, "scanner": "repobility-supply-chain", "fingerprint": "dc889eb51c86f8d892d11ac6d629d52adf36eaaba71339cf59d07f639435a4a4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc889eb51c86f8d892d11ac6d629d52adf36eaaba71339cf59d07f639435a4a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-beta.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/checkout@v6.0.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82535, "scanner": "repobility-supply-chain", "fingerprint": "a92723cb3cacf2e915b549e16f51654e778d433a9627b4cee52b4de34527cf92", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a92723cb3cacf2e915b549e16f51654e778d433a9627b4cee52b4de34527cf92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-beta.yml"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cloudflare/wrangler-action` pinned to mutable ref `@v3`: `uses: cloudflare/wrangler-action@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82534, "scanner": "repobility-supply-chain", "fingerprint": "5cdb3171a56c1fe22f2b9165211daddd2f914c7c09a9d3940595ea61278c3726", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5cdb3171a56c1fe22f2b9165211daddd2f914c7c09a9d3940595ea61278c3726"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/landing-page-production.yml"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5.0.5`: `uses: actions/cache@v5.0.5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82533, "scanner": "repobility-supply-chain", "fingerprint": "567490f0af88cc997865e7acc867d05f8b462d89709403eaf075ae5eaaba1c8d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|567490f0af88cc997865e7acc867d05f8b462d89709403eaf075ae5eaaba1c8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/landing-page-production.yml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5.0.5`: `uses: actions/cache@v5.0.5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82532, "scanner": "repobility-supply-chain", "fingerprint": "5325a6c4c274312ee097559bb3e9fd0f4e69d3896059e394fe7ecbbdcb4490d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5325a6c4c274312ee097559bb3e9fd0f4e69d3896059e394fe7ecbbdcb4490d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/landing-page-production.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82531, "scanner": "repobility-supply-chain", "fingerprint": "6d8dc59b0b79e64b6704dd5fce110676eb6887d1c2f955bcb3a938fa6fb72c35", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6d8dc59b0b79e64b6704dd5fce110676eb6887d1c2f955bcb3a938fa6fb72c35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/landing-page-production.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v5`: `uses: pnpm/action-setup@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82530, "scanner": "repobility-supply-chain", "fingerprint": "b022c527772bce10b2a787cbf805c5e97cc8d418ea0c3faa08c35abf93bd88fd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b022c527772bce10b2a787cbf805c5e97cc8d418ea0c3faa08c35abf93bd88fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/landing-page-production.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/checkout@v6.0.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82529, "scanner": "repobility-supply-chain", "fingerprint": "e83c5b7428e0d15fc23743c3c3db384c5df19071f5edaff4d5e7700c659262c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e83c5b7428e0d15fc23743c3c3db384c5df19071f5edaff4d5e7700c659262c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/landing-page-production.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82528, "scanner": "repobility-supply-chain", "fingerprint": "fa890dee5cd5ce6b2e56876cce0322c46d8c9bc608cdcc37f82cfab5f9351d52", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa890dee5cd5ce6b2e56876cce0322c46d8c9bc608cdcc37f82cfab5f9351d52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-image.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82527, "scanner": "repobility-supply-chain", "fingerprint": "695979c00449f3ccb4d7f478131e1e5aedd9a1b897f60b9918e173d1d5afb763", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|695979c00449f3ccb4d7f478131e1e5aedd9a1b897f60b9918e173d1d5afb763"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/seo-daily-report.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v5`: `uses: pnpm/action-setup@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82526, "scanner": "repobility-supply-chain", "fingerprint": "25837bcc64b5059e86d773ac7885908b6c3948455ff42fb70758d01e4369344e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25837bcc64b5059e86d773ac7885908b6c3948455ff42fb70758d01e4369344e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/seo-daily-report.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/checkout@v6.0.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82525, "scanner": "repobility-supply-chain", "fingerprint": "49fd4d8ce6c3884bd22d25800608993f1b83bc6e7668e7ff30845042439a552f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|49fd4d8ce6c3884bd22d25800608993f1b83bc6e7668e7ff30845042439a552f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/seo-daily-report.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`: `uses: peter-evans/create-pull-request@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82524, "scanner": "repobility-supply-chain", "fingerprint": "4b780fdf1e06c37155d0ad16e80a00a76d8537f27e0bac264126fe3bb446a121", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b780fdf1e06c37155d0ad16e80a00a76d8537f27e0bac264126fe3bb446a121"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/refresh-contributors-wall.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v2`: `uses: actions/create-github-app-token@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82523, "scanner": "repobility-supply-chain", "fingerprint": "4bedb159a50977bdcdfd538abe68cc81d3d539b65ce1e0a26a0a4b972e39d7ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4bedb159a50977bdcdfd538abe68cc81d3d539b65ce1e0a26a0a4b972e39d7ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/refresh-contributors-wall.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/checkout@v6.0.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82522, "scanner": "repobility-supply-chain", "fingerprint": "ab66d95211ed4154aa7776f5cbf13267b4333d91a5812b1ecf54a3abe8954c5d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab66d95211ed4154aa7776f5cbf13267b4333d91a5812b1ecf54a3abe8954c5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/refresh-contributors-wall.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82521, "scanner": "repobility-supply-chain", "fingerprint": "0452bd4b4b7ea09a27772c2031245bee19e5a0af67a747922b4f1b9bafe9e32a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0452bd4b4b7ea09a27772c2031245bee19e5a0af67a747922b4f1b9bafe9e32a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/discord-resolved.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6.4.0`: `uses: actions/setup-node@v6.4.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82520, "scanner": "repobility-supply-chain", "fingerprint": "3d1805465f9c8fd0f5273bc9ea3ab1e97b04308febee207f8ed9ef355afb0dca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d1805465f9c8fd0f5273bc9ea3ab1e97b04308febee207f8ed9ef355afb0dca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fork-pr-workflow-approval.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/checkout@v6.0.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82519, "scanner": "repobility-supply-chain", "fingerprint": "7107aea16a9c453122b8149ef0323f7f8637d085cd8b4c6bbe6c6f368e80e4ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7107aea16a9c453122b8149ef0323f7f8637d085cd8b4c6bbe6c6f368e80e4ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fork-pr-workflow-approval.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v9`: `uses: actions/stale@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82518, "scanner": "repobility-supply-chain", "fingerprint": "f2f349a70e612792f0d8a644ebc7e2b1457b00fad218222b8b2f83b43afa0c4b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f2f349a70e612792f0d8a644ebc7e2b1457b00fad218222b8b2f83b43afa0c4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/stale-issues.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82517, "scanner": "repobility-supply-chain", "fingerprint": "3e2e0e937af7f2cc062bd5d8280a3feec4122576ad8c26134ce73548afe510e7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e2e0e937af7f2cc062bd5d8280a3feec4122576ad8c26134ce73548afe510e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/stale-issues.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82516, "scanner": "repobility-supply-chain", "fingerprint": "f7e3876d32ffe0befe73a1a7b36d5b0ada77bb6841be4407a64a1c7217bbbe99", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f7e3876d32ffe0befe73a1a7b36d5b0ada77bb6841be4407a64a1c7217bbbe99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-author-inactivity.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82513, "scanner": "repobility-supply-chain", "fingerprint": "926864110d4f578c1846b06314a493ea08e6e6273852c472f5335f7cab425858", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|926864110d4f578c1846b06314a493ea08e6e6273852c472f5335f7cab425858"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/landing-page-ci.yml"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cloudflare/wrangler-action` pinned to mutable ref `@v3`: `uses: cloudflare/wrangler-action@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82512, "scanner": "repobility-supply-chain", "fingerprint": "f516e6e0a0595152df9ba3854cc5cf0be12751c5d282aaf6a248de602bd1894c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f516e6e0a0595152df9ba3854cc5cf0be12751c5d282aaf6a248de602bd1894c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/landing-page-ci.yml"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v5.0.5`: `uses: actions/cache@v5.0.5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82511, "scanner": "repobility-supply-chain", "fingerprint": "7bb6da931907a3220793dc7758b59d1fa8cad4e3d6975b991f6a2df8e5690773", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7bb6da931907a3220793dc7758b59d1fa8cad4e3d6975b991f6a2df8e5690773"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/landing-page-ci.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/checkout@v6.0.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 82510, "scanner": "repobility-supply-chain", "fingerprint": "bdb00f06b754f4cfa3408d809b6ccce01d22c5232d1d8cc40bebffeefa94792c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bdb00f06b754f4cfa3408d809b6ccce01d22c5232d1d8cc40bebffeefa94792c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/landing-page-ci.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /api/projects/:id/folders has no auth: Express route DELETE /api/projects/:id/folders declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82509, "scanner": "repobility-route-auth", "fingerprint": "0e828f7edc6184f2bb789bab95d09b8050ad842c6bd26a1dc11ce7861893ecb5", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0e828f7edc6184f2bb789bab95d09b8050ad842c6bd26a1dc11ce7861893ecb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 2075}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/folders has no auth: Express route POST /api/projects/:id/folders declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82508, "scanner": "repobility-route-auth", "fingerprint": "5350f568abeb354237457cc071b964a97d327a2a3484d39f5159929358ef9777", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5350f568abeb354237457cc071b964a97d327a2a3484d39f5159929358ef9777"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 2051}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/artifacts/lint has no auth: Express route POST /api/artifacts/lint declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82507, "scanner": "repobility-route-auth", "fingerprint": "7ec6e849f12cece0ca5cca02f26694692c6223e512ea2d86994d78eabe610e7d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7ec6e849f12cece0ca5cca02f26694692c6223e512ea2d86994d78eabe610e7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1863}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/artifacts/save has no auth: Express route POST /api/artifacts/save declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82506, "scanner": "repobility-route-auth", "fingerprint": "0e99be10b684b87011fd6ed4da1d95a3d48c7404b472c539e8b8044ecb219b26", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0e99be10b684b87011fd6ed4da1d95a3d48c7404b472c539e8b8044ecb219b26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1837}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/upload has no auth: Express route POST /api/upload declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82505, "scanner": "repobility-route-auth", "fingerprint": "441e526e64f77e1fece888b34f8bf1750c854c7ac1c4148353590335e84a3369", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|441e526e64f77e1fece888b34f8bf1750c854c7ac1c4148353590335e84a3369"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1823}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /api/templates/:id has no auth: Express route DELETE /api/templates/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82504, "scanner": "repobility-route-auth", "fingerprint": "4f7a3427cc4f6476935569d7fe66f4082d2bc42d2958ebd0e6246af14651f275", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4f7a3427cc4f6476935569d7fe66f4082d2bc42d2958ebd0e6246af14651f275"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1809}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/templates has no auth: Express route POST /api/templates declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82503, "scanner": "repobility-route-auth", "fingerprint": "5f7df5a0e7d370c40978c4775c4eaed79df836061b196acac438ff16c08d6ce2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5f7df5a0e7d370c40978c4775c4eaed79df836061b196acac438ff16c08d6ce2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1745}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT /api/projects/:id/tabs has no auth: Express route PUT /api/projects/:id/tabs declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82502, "scanner": "repobility-route-auth", "fingerprint": "9a83886b08ed13a7d0c9087724a4482b4de74e130b21374fee6916a115903e13", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9a83886b08ed13a7d0c9087724a4482b4de74e130b21374fee6916a115903e13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1705}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /api/projects/:id/conversations/:cid/comments/:commentId has no auth: Express route DELETE /api/projects/:id/conversations/:cid/comments/:commentId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82501, "scanner": "repobility-route-auth", "fingerprint": "cc61d502a70f703ef3817684e16b624805b6345b9403c70d7b85ba465cbebd7e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|cc61d502a70f703ef3817684e16b624805b6345b9403c70d7b85ba465cbebd7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1677}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /api/projects/:id/conversations/:cid/comments/:commentId has no auth: Express route PATCH /api/projects/:id/conversations/:cid/comments/:commentId declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82500, "scanner": "repobility-route-auth", "fingerprint": "d7ea06fa59eaa67ed8c6537340470c4076c9b1a6a3d64653b809b02b90d6e162", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d7ea06fa59eaa67ed8c6537340470c4076c9b1a6a3d64653b809b02b90d6e162"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1652}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/conversations/:cid/comments has no auth: Express route POST /api/projects/:id/conversations/:cid/comments declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82499, "scanner": "repobility-route-auth", "fingerprint": "9192b49696b1007778690cc743973aa0ae37216dea61e4af88d09d4e62dfae8b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9192b49696b1007778690cc743973aa0ae37216dea61e4af88d09d4e62dfae8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1633}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT /api/projects/:id/conversations/:cid/messages/:mid has no auth: Express route PUT /api/projects/:id/conversations/:cid/messages/:mid declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82498, "scanner": "repobility-route-auth", "fingerprint": "8d10b0abb317e78e9c87f1cee509852801aeff4e633342920b9c94b624d33cde", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8d10b0abb317e78e9c87f1cee509852801aeff4e633342920b9c94b624d33cde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1602}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /api/projects/:id/conversations/:cid has no auth: Express route DELETE /api/projects/:id/conversations/:cid declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82497, "scanner": "repobility-route-auth", "fingerprint": "4a7f27849310f8a774b152ef439910662a38c5ef28e70c57066a0ab3a96d2dc7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4a7f27849310f8a774b152ef439910662a38c5ef28e70c57066a0ab3a96d2dc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1583}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /api/projects/:id/conversations/:cid has no auth: Express route PATCH /api/projects/:id/conversations/:cid declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82496, "scanner": "repobility-route-auth", "fingerprint": "d3c9ec7775965bda00518281def19bf0d80d40d5048e9583d4d1cd3fb9aca2ff", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d3c9ec7775965bda00518281def19bf0d80d40d5048e9583d4d1cd3fb9aca2ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1574}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/conversations has no auth: Express route POST /api/projects/:id/conversations declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82495, "scanner": "repobility-route-auth", "fingerprint": "a5837f0f3e98136eb2a54b290f85b17c5e49e1a02649cf3a9f07b85a4ef8b340", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a5837f0f3e98136eb2a54b290f85b17c5e49e1a02649cf3a9f07b85a4ef8b340"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1487}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /api/projects/:id has no auth: Express route DELETE /api/projects/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82494, "scanner": "repobility-route-auth", "fingerprint": "0a8ffb6916ed58b16664e0e4811d311f593bd403c9c21b09c16d1697bca1a989", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0a8ffb6916ed58b16664e0e4811d311f593bd403c9c21b09c16d1697bca1a989"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1420}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /api/projects/:id has no auth: Express route PATCH /api/projects/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82493, "scanner": "repobility-route-auth", "fingerprint": "b4ff2e2e706a268f022816763dd753845407c5b81142a4a3af3990e17f4ba9de", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b4ff2e2e706a268f022816763dd753845407c5b81142a4a3af3990e17f4ba9de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1313}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects has no auth: Express route POST /api/projects declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82492, "scanner": "repobility-route-auth", "fingerprint": "822d27bf66577196db53229c6c5ec72ae214840a97e568dc5b00a78352e65404", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|822d27bf66577196db53229c6c5ec72ae214840a97e568dc5b00a78352e65404"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 1056}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/project-locations/scan has no auth: Express route POST /api/project-locations/scan declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82491, "scanner": "repobility-route-auth", "fingerprint": "9bffd1b1ed16af8fde8db84d4f0c3f8174450bc4de3bf2638df5434d2a5e85a0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9bffd1b1ed16af8fde8db84d4f0c3f8174450bc4de3bf2638df5434d2a5e85a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 946}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT /api/project-locations has no auth: Express route PUT /api/project-locations declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82490, "scanner": "repobility-route-auth", "fingerprint": "0a95ee9a7ec4040db5c6db43bcb9b7e10786714c17f6da726a21dc0b07021e23", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0a95ee9a7ec4040db5c6db43bcb9b7e10786714c17f6da726a21dc0b07021e23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/project-routes.ts"}, "region": {"startLine": 915}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /api/projects/:id/terminals/:tid has no auth: Express route DELETE /api/projects/:id/terminals/:tid declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82489, "scanner": "repobility-route-auth", "fingerprint": "3067b801d393f4036fc69bd1b280f4749d91bc73325f29cdb7d3c545165dcec1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3067b801d393f4036fc69bd1b280f4749d91bc73325f29cdb7d3c545165dcec1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/terminal-routes.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/terminals/:tid/kill has no auth: Express route POST /api/projects/:id/terminals/:tid/kill declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82488, "scanner": "repobility-route-auth", "fingerprint": "e88227a40145a2a9e55b0cc2f5d6a1431261bab3fd83cf45ce1e4710662626a1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e88227a40145a2a9e55b0cc2f5d6a1431261bab3fd83cf45ce1e4710662626a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/terminal-routes.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/terminals/:tid/resize has no auth: Express route POST /api/projects/:id/terminals/:tid/resize declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82487, "scanner": "repobility-route-auth", "fingerprint": "ca07cc0a30d1b550fd117ced3ba555b2ff152584cb1b55dcd3c304c3d48582a0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ca07cc0a30d1b550fd117ced3ba555b2ff152584cb1b55dcd3c304c3d48582a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/terminal-routes.ts"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/terminals/:tid/stdin has no auth: Express route POST /api/projects/:id/terminals/:tid/stdin declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82486, "scanner": "repobility-route-auth", "fingerprint": "9235b7d7f12772a9b5fe76f8c4155d97a9b780d5346e943151e62e260dcc55dd", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9235b7d7f12772a9b5fe76f8c4155d97a9b780d5346e943151e62e260dcc55dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/terminal-routes.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/:id/terminals has no auth: Express route POST /api/projects/:id/terminals declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 82485, "scanner": "repobility-route-auth", "fingerprint": "e10f1f957f9e0d2bdfe7bb658867c785a877bca2d648d89611293a9ae71a67b8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e10f1f957f9e0d2bdfe7bb658867c785a877bca2d648d89611293a9ae71a67b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/terminal-routes.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._spin` used but never assigned in __init__: Method `start` of class `Spinner` reads `self._spin`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 82484, "scanner": "repobility-ast-engine", "fingerprint": "65ac47ae8c49d0e96b734f6089e19f96d6a7baab43625578acaf45b56d28c5af", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|65ac47ae8c49d0e96b734f6089e19f96d6a7baab43625578acaf45b56d28c5af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/ui.py"}, "region": {"startLine": 250}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._generate_content` used but never assigned in __init__: Method `generate_text` of class `GeminiClient` reads `self._generate_content`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 82483, "scanner": "repobility-ast-engine", "fingerprint": "96aee96679307a3d412d73e48a09595d18135b502f72d9aaae15c604dcdfe573", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|96aee96679307a3d412d73e48a09595d18135b502f72d9aaae15c604dcdfe573"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/providers.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generate_text` used but never assigned in __init__: Method `generate_json` of class `ReasoningClient` reads `self.generate_text`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 82482, "scanner": "repobility-ast-engine", "fingerprint": "8d135221e3f3c664d59bc727bdc8df327178f19b05b300a21fa957ca7960c44b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8d135221e3f3c664d59bc727bdc8df327178f19b05b300a21fa957ca7960c44b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/lib/providers.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertRaisesRegex` used but never assigned in __init__: Method `test_rejects_traversal_in_input_images_via_main` of class `TestMainJobTraversalRejection` reads `self.assertRaisesRegex`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 82456, "scanner": "repobility-ast-engine", "fingerprint": "86af75802aa71cab88f11c3842e21b30ac747a6f40d2c647a9ace46b21b1cfd5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|86af75802aa71cab88f11c3842e21b30ac747a6f40d2c647a9ace46b21b1cfd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.subTest` used but never assigned in __init__: Method `test_rejects_traversal_in_input_images_via_main` of class `TestMainJobTraversalRejection` reads `self.subTest`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 82455, "scanner": "repobility-ast-engine", "fingerprint": "ad09581f286d89b47f1e451cdf09a87944791ceade8ac5b5b3abdfd60032dbd1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ad09581f286d89b47f1e451cdf09a87944791ceade8ac5b5b3abdfd60032dbd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertRaisesRegex` used but never assigned in __init__: Method `test_rejects_traversal_in_output_path` of class `TestMainJobTraversalRejection` reads `self.assertRaisesRegex`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 82454, "scanner": "repobility-ast-engine", "fingerprint": "48fea505f6cd411329872fafcd9149b0837641937a86e3f6019008c48df4f0f6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|48fea505f6cd411329872fafcd9149b0837641937a86e3f6019008c48df4f0f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.subTest` used but never assigned in __init__: Method `test_rejects_traversal_in_output_path` of class `TestMainJobTraversalRejection` reads `self.subTest`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 82453, "scanner": "repobility-ast-engine", "fingerprint": "ccd39849a85511380434d7b93d40a296de086076e84772bba7cdb1200055c2ad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ccd39849a85511380434d7b93d40a296de086076e84772bba7cdb1200055c2ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertRaisesRegex` used but never assigned in __init__: Method `test_rejects_traversal_in_prompt_file` of class `TestMainJobTraversalRejection` reads `self.assertRaisesRegex`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 82452, "scanner": "repobility-ast-engine", "fingerprint": "67e76898d4a960e0152ccffda2eb921ede7d69835e1bebbf01110192ccb66eae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|67e76898d4a960e0152ccffda2eb921ede7d69835e1bebbf01110192ccb66eae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.subTest` used but never assigned in __init__: Method `test_rejects_traversal_in_prompt_file` of class `TestMainJobTraversalRejection` reads `self.subTest`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 82451, "scanner": "repobility-ast-engine", "fingerprint": "0fb852b2e3ee96656741c43d2efba6542ef8f020c928cb8f3688db76ada669b1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0fb852b2e3ee96656741c43d2efba6542ef8f020c928cb8f3688db76ada669b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertRaisesRegex` used but never assigned in __init__: Method `test_rejects_missing_safe_path` of class `TestPathListTraversalRejection` reads `self.assertRaisesRegex`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 82450, "scanner": "repobility-ast-engine", "fingerprint": "0abe4535e41e76a4d215d6eb279c0e6e5d983b6b88b759e5b9ece9e166735454", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0abe4535e41e76a4d215d6eb279c0e6e5d983b6b88b759e5b9ece9e166735454"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_accepts_safe_path_when_file_exists` of class `TestPathListTraversalRejection` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 82449, "scanner": "repobility-ast-engine", "fingerprint": "e564675d5533086e1604131c0f36429a9151478ce00d7eae3001110d58f4edae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e564675d5533086e1604131c0f36429a9151478ce00d7eae3001110d58f4edae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertRaisesRegex` used but never assigned in __init__: Method `test_rejects_traversal_in_input_images` of class `TestPathListTraversalRejection` reads `self.assertRaisesRegex`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 82448, "scanner": "repobility-ast-engine", "fingerprint": "b8779e0dac862d9f142e3676e263e01480ef3a2af35922ba53d21769e4f30cbe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b8779e0dac862d9f142e3676e263e01480ef3a2af35922ba53d21769e4f30cbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.subTest` used but never assigned in __init__: Method `test_rejects_traversal_in_input_images` of class `TestPathListTraversalRejection` reads `self.subTest`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 82447, "scanner": "repobility-ast-engine", "fingerprint": "8b42332a2c5d43a66559a465bf6f8bf81fceb31a830de2dcfee43a0e569d5cb1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8b42332a2c5d43a66559a465bf6f8bf81fceb31a830de2dcfee43a0e569d5cb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_rejects_traversal_in_input_images_via_main: Test function `test_rejects_traversal_in_input_images_via_main` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 82446, "scanner": "repobility-ast-engine", "fingerprint": "81856caeca7d285a0dbbf2592690535c2335007539b822bb936ab95be23e07b3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|81856caeca7d285a0dbbf2592690535c2335007539b822bb936ab95be23e07b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_rejects_traversal_in_output_path: Test function `test_rejects_traversal_in_output_path` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 82445, "scanner": "repobility-ast-engine", "fingerprint": "011ef66ccb8b371e74df27d9db67c669ff9ba0f9d0773a1520ca314ad4cca38e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|011ef66ccb8b371e74df27d9db67c669ff9ba0f9d0773a1520ca314ad4cca38e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_rejects_traversal_in_prompt_file: Test function `test_rejects_traversal_in_prompt_file` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 82444, "scanner": "repobility-ast-engine", "fingerprint": "15f1503faa91518924a93511ab074238bf140f61c1b3bf7247bd9613cb3b06eb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|15f1503faa91518924a93511ab074238bf140f61c1b3bf7247bd9613cb3b06eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_rejects_missing_safe_path: Test function `test_rejects_missing_safe_path` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 82443, "scanner": "repobility-ast-engine", "fingerprint": "23b8aa3787c0dff5160a6367c8ae8c202eb47d143cc2d02b957fcd1f930519d3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|23b8aa3787c0dff5160a6367c8ae8c202eb47d143cc2d02b957fcd1f930519d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_rejects_traversal_in_input_images: Test function `test_rejects_traversal_in_input_images` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 82442, "scanner": "repobility-ast-engine", "fingerprint": "05aea54e0da209fa88a8697de108d26dd96e950b68a8b760ba74678eeb1c3748", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|05aea54e0da209fa88a8697de108d26dd96e950b68a8b760ba74678eeb1c3748"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/hatch-pet/scripts/test_generate_pet_images.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 82436, "scanner": "repobility-journey-contract", "fingerprint": "579a2d7f9d36f1770f0832a6d0afc609ef646db302bff6643ee4e096cb854bfa", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|4824|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/SettingsDialog.tsx"}, "region": {"startLine": 4824}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 82433, "scanner": "repobility-journey-contract", "fingerprint": "c9173a4df4e58548abde1bfa85dadba5ea78504ed881f1576d4bdb737b2bc625", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|apps/daemon/src/server.ts|5484|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 4}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/server.ts"}, "region": {"startLine": 5484}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 82394, "scanner": "repobility-threat-engine", "fingerprint": "2ccda4c1794cfaae64758ff4d9a9a57a49d812e215180c48ba7d54eb7e3e5cd5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2ccda4c1794cfaae64758ff4d9a9a57a49d812e215180c48ba7d54eb7e3e5cd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-templates/last30days/scripts/watchlist.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp() \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 82387, "scanner": "repobility-threat-engine", "fingerprint": "e4d1daccfa0a27bb9befefe86c2609bc43f8127450b5466a19d2ae6569408154", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e4d1daccfa0a27bb9befefe86c2609bc43f8127450b5466a19d2ae6569408154"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update-nix-pnpm-deps-hash.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp() \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 82386, "scanner": "repobility-threat-engine", "fingerprint": "5f4a6fa13a393dd2edf3b8a05de5e71a34ff09f201880a71331ed4a214bfc619", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5f4a6fa13a393dd2edf3b8a05de5e71a34ff09f201880a71331ed4a214bfc619"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check-components-fixtures.ts"}, "region": {"startLine": 138}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp() \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 82385, "scanner": "repobility-threat-engine", "fingerprint": "5c739d265265f4c0040c50fbd13c810f011d48ca190aed23b875b7cabad55b63", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5c739d265265f4c0040c50fbd13c810f011d48ca190aed23b875b7cabad55b63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/runtime/partial-json.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 82384, "scanner": "repobility-threat-engine", "fingerprint": "d26ff534d5d2b233e342b123509bbdebd7f0a786a6b52e04cbfd712e5d63bb4f", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d26ff534d5d2b233e342b123509bbdebd7f0a786a6b52e04cbfd712e5d63bb4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/edit-mode/source-patches.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 82372, "scanner": "repobility-threat-engine", "fingerprint": "af62dff2a14a5e6dd0e3adcf0794502fbefc17ce1f3e20890adb950311996b04", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af62dff2a14a5e6dd0e3adcf0794502fbefc17ce1f3e20890adb950311996b04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/landing-page/scripts/blog-indexing/render-status.ts"}, "region": {"startLine": 170}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 82360, "scanner": "repobility-threat-engine", "fingerprint": "c5528e3a7156b8f40ea90be6d9852051ec625ee352e7f582abd3a67e7c8a31d9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/api/projects/:id/handoff', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c5528e3a7156b8f40ea90be6d9852051ec625ee352e7f582abd3a67e7c8a31d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/routes/handoff.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 82359, "scanner": "repobility-threat-engine", "fingerprint": "c42c1b804ed059b8db0bc9c0783e7010d1055244217826c604521a8ac713aad6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/api/tools/design-systems/read', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c42c1b804ed059b8db0bc9c0783e7010d1055244217826c604521a8ac713aad6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/routes/design-system-tool.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 82358, "scanner": "repobility-threat-engine", "fingerprint": "68cdc85055f71658ae768a77f2d268a1e8a7439ffab02417b7e8bde00ece42ef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.put('/api/deploy/config', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|68cdc85055f71658ae768a77f2d268a1e8a7439ffab02417b7e8bde00ece42ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/routes/deploy.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC111", "level": "error", "message": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "properties": {"repobilityId": 82357, "scanner": "repobility-threat-engine", "fingerprint": "c4f3bfae62c0d586ad02c311e26cdbf936e2e37b621dd15fa6e5212dce4e0ee0", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "safeString(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC111", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c4f3bfae62c0d586ad02c311e26cdbf936e2e37b621dd15fa6e5212dce4e0ee0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/plugins/snapshot-diff.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 82356, "scanner": "repobility-threat-engine", "fingerprint": "78401db74540bb3b7dcb3466daa5db417b099fdb367579dbc3b729ee8648a898", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78401db74540bb3b7dcb3466daa5db417b099fdb367579dbc3b729ee8648a898"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/pack/src/win/sign.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 82355, "scanner": "repobility-threat-engine", "fingerprint": "a4cc2856b11736080bc7470e4528b58519e3f8d4a2102b330f5cbc2a949032c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a4cc2856b11736080bc7470e4528b58519e3f8d4a2102b330f5cbc2a949032c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/plugins/atoms/rewrite-plan.ts"}, "region": {"startLine": 264}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 82354, "scanner": "repobility-threat-engine", "fingerprint": "254635b1db69e5d0fe5c426db1a9ca051a02081eb3bc0f6e3b6c2ccc7719d288", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|254635b1db69e5d0fe5c426db1a9ca051a02081eb3bc0f6e3b6c2ccc7719d288"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/plugins/atoms/diff-review.ts"}, "region": {"startLine": 232}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 82338, "scanner": "repobility-threat-engine", "fingerprint": "f5587efe421ae82642c4b63b9a53d752561d8953891301a8a11791968badcfd4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ws.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f5587efe421ae82642c4b63b9a53d752561d8953891301a8a11791968badcfd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/critique/transcript.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 82337, "scanner": "repobility-threat-engine", "fingerprint": "60e0d1b3dad4892b9160adafebf6f1daa927f7a3368ebdb97cc1c62c92269eb1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "res.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|60e0d1b3dad4892b9160adafebf6f1daa927f7a3368ebdb97cc1c62c92269eb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/critique/artifact-handler.ts"}, "region": {"startLine": 201}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 82336, "scanner": "repobility-threat-engine", "fingerprint": "27318e9e65a49d7e39f59692a3b871acc2682ec3035da1c44af7517913410de5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "store.delete(adapterId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|27318e9e65a49d7e39f59692a3b871acc2682ec3035da1c44af7517913410de5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/critique/adapter-degraded.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 82332, "scanner": "repobility-threat-engine", "fingerprint": "cb342197e5c576e6cb493dee3cc77805b8a30c6e5e839de1803d69af951333d9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cb342197e5c576e6cb493dee3cc77805b8a30c6e5e839de1803d69af951333d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/design-token-evidence.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 82331, "scanner": "repobility-threat-engine", "fingerprint": "de0862ea8ee8be28b394eaac1d84e7445adb866547644b5fd4e7e9d36543e761", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(clean", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de0862ea8ee8be28b394eaac1d84e7445adb866547644b5fd4e7e9d36543e761"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/design-system-source-context.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 82330, "scanner": "repobility-threat-engine", "fingerprint": "87c8e23f049f59127193b0e54e2778d98c767474777eac64f7d2b3487f9c6ace", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(prompt", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|87c8e23f049f59127193b0e54e2778d98c767474777eac64f7d2b3487f9c6ace"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/automation-routine-evolution.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 82320, "scanner": "repobility-threat-engine", "fingerprint": "cadffac9e20e5317dd94ecc14cbcfcc6cd5ec835f19dacfd34caec2a1ddf3442", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|83|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/plugins/bundled.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 82319, "scanner": "repobility-threat-engine", "fingerprint": "19a4f0ba09641bf165070f4b6f507a71d73d8447e33aaa2e0b4cf339496b7e50", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(tmpDir, 'input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|74|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/document-preview.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 82318, "scanner": "repobility-threat-engine", "fingerprint": "c10118c54e81d416dc11b2d8868330282359a0f2b56c463f177967705abc7e35", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|58|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/src/amr-image-staging.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 82309, "scanner": "repobility-threat-engine", "fingerprint": "2f9504929e346f02d65a40b5f05406a5d63468fc16b07a2129a365951bbc6cd6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2f9504929e346f02d65a40b5f05406a5d63468fc16b07a2129a365951bbc6cd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/release/r2/s3-upload.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 82308, "scanner": "repobility-threat-engine", "fingerprint": "9e2fbaf3ee060d75aa0275bd9366135c28ab2638d965d625c6a13dfbcf04fe18", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9e2fbaf3ee060d75aa0275bd9366135c28ab2638d965d625c6a13dfbcf04fe18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/release/r2/publish-platform.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 82307, "scanner": "repobility-threat-engine", "fingerprint": "2b1ccfc31ec613e9207cc174b787f5c02317a1f78725a4f276c8aab52e0baca3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2b1ccfc31ec613e9207cc174b787f5c02317a1f78725a4f276c8aab52e0baca3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/release/r2/publish-beta-metadata.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any