{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /m"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings-data/route."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 14.5% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 14.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "QUAL003", "name": "Magic number used as default arg", "shortDescription": {"text": "Magic number used as default arg"}, "fullDescription": {"text": "Using hardcoded default values for complex configuration objects makes the code brittle and difficult to manage. Consider using a dedicated factory or builder pattern.\n\nAuto-promoted from proposal 444 on 2026-05-12. Synth confidence: 0.85. FP estimate: 0.00."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "LOG001", "name": "PII printed to stdout/stderr", "shortDescription": {"text": "PII printed to stdout/stderr"}, "fullDescription": {"text": "Logging password/token/email/ssn directly to stdout."}, "properties": {"scanner": "repobility", "category": "logging", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "CRYP001", "name": "Crypto \u2014 plaintext HTTP for sensitive endpoint", "shortDescription": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "fullDescription": {"text": "Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"scanner": "repobility", "category": "crypto", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `_close_issues` has cognitive complexity 9 (SonarSource scale). Cognitive ", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `_close_issues` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 9."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "QUAL004", "name": "Placeholder default username (admin/admin)", "shortDescription": {"text": "Placeholder default username (admin/admin)"}, "fullDescription": {"text": "foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "low", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 41 more): Same pattern found in 41 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 41 more): Same pattern found in 41 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 38 more): Same pattern found in 38 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 26 more): Same pattern found in 26 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 35 more): Same pattern found in 35 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 31 more): Same pattern found in 31 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 24 more): Same pattern found in 24 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 47 more): Same pattern found in 47 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 43 more): Same pattern found in 43 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 43 more): Same pattern found in 43 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `ghcr.io/gsd-build/gsd-ci-builder:latest` unpinned: `container/services ima", "shortDescription": {"text": "[MINED126] Workflow container/services image `ghcr.io/gsd-build/gsd-ci-builder:latest` unpinned: `container/services image: ghcr.io/gsd-build/gsd-ci-builder:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workf"}, "fullDescription": {"text": "Replace with `ghcr.io/gsd-build/gsd-ci-builder:latest@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:24-bookworm-slim` not pinned by digest: `FROM node:24-bookworm-slim` resolves the tag a", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:24-bookworm-slim` not pinned by digest: `FROM node:24-bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Prod"}, "fullDescription": {"text": "Replace with: `FROM node:24-bookworm-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `@gsd-build/contracts` pulled from URL/Git: `dependencies.@gsd-build/contracts` = `file:../p", "shortDescription": {"text": "[MINED122] package.json dep `@gsd-build/contracts` pulled from URL/Git: `dependencies.@gsd-build/contracts` = `file:../packages/contracts` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the U"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_preserves_non_status_labels` of class `T", "shortDescription": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_preserves_non_status_labels` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). T"}, "fullDescription": {"text": "Initialize `self._setup_repo = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC092", "name": "[SEC092] Go: SQL via fmt.Sprintf or string concat: SQL query constructed via Sprintf or `+` enables SQL injection. Porte", "shortDescription": {"text": "[SEC092] Go: SQL via fmt.Sprintf or string concat: SQL query constructed via Sprintf or `+` enables SQL injection. Ported from gosec G201 / G202 (Apache-2.0)."}, "fullDescription": {"text": "Use placeholders: `db.Query(\"SELECT ... WHERE id = ?\", userID)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED031", "name": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.", "shortDescription": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERRH001", "name": "Bare except: pass \u2014 silent failure", "shortDescription": {"text": "Bare except: pass \u2014 silent failure"}, "fullDescription": {"text": "except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"scanner": "repobility", "category": "error_handling", "severity": "high", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "PATH001", "name": "Path traversal \u2014 user input in os.path.join", "shortDescription": {"text": "Path traversal \u2014 user input in os.path.join"}, "fullDescription": {"text": "os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"scanner": "repobility", "category": "path_traversal", "severity": "high", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SECR001", "name": "Hardcoded secret in source", "shortDescription": {"text": "Hardcoded secret in source"}, "fullDescription": {"text": "API key, AWS access key, password, or private key embedded directly in source. AI assistants frequently leak demo creds."}, "properties": {"scanner": "repobility", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/204"}, "properties": {"repository": "gsd-build/gsd-2", "repoUrl": "https://github.com/gsd-build/gsd-2", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 49784, "scanner": "repobility-ast-engine", "fingerprint": "b680f4e866ba0a034214737f3e13cfb53acc66a5bd95919c968f54ee2513dea7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b680f4e866ba0a034214737f3e13cfb53acc66a5bd95919c968f54ee2513dea7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 452}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 49783, "scanner": "repobility-ast-engine", "fingerprint": "c5a09397bc0e99c4cf6f179e68ba1c7fa86250d117148ad32ce0b35f1279b824", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c5a09397bc0e99c4cf6f179e68ba1c7fa86250d117148ad32ce0b35f1279b824"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 49782, "scanner": "repobility-ast-engine", "fingerprint": "9288ff05ea7aa01235f6c26a5b8e64102652b35e4289c002f4c483a21dc61c3f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9288ff05ea7aa01235f6c26a5b8e64102652b35e4289c002f4c483a21dc61c3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 458}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 49781, "scanner": "repobility-ast-engine", "fingerprint": "5175c6ef087b89df08fdf95bd736dfe0be9725ca43ef95175fe7c570656e1fdf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5175c6ef087b89df08fdf95bd736dfe0be9725ca43ef95175fe7c570656e1fdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 352}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 49780, "scanner": "repobility-ast-engine", "fingerprint": "97c7a87d43760a3561e7d7aa4071cac67208e07f593a9c7a8b3e101ca198935b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|97c7a87d43760a3561e7d7aa4071cac67208e07f593a9c7a8b3e101ca198935b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 49779, "scanner": "repobility-ast-engine", "fingerprint": "48666f689a33a2e3bc5aae7e7a494d44c3678750d135c65c1ced227934fc2d5c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|48666f689a33a2e3bc5aae7e7a494d44c3678750d135c65c1ced227934fc2d5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 49778, "scanner": "repobility-ast-engine", "fingerprint": "eaea404f42f295e06d33298de20d4d3c2624c4e3eccc936afa4e12e95c7fdf31", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eaea404f42f295e06d33298de20d4d3c2624c4e3eccc936afa4e12e95c7fdf31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 49777, "scanner": "repobility-journey-contract", "fingerprint": "e28e64d3678eabef93911645947f34a78a05c622703895b8741927882cd89c26", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/visualizer", "correlation_key": "fp|e28e64d3678eabef93911645947f34a78a05c622703895b8741927882cd89c26", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/dashboard.tsx"}, "region": {"startLine": 137}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 49776, "scanner": "repobility-journey-contract", "fingerprint": "1092e4c46ea16e99d1edde5af7e00564c49fa15624ca9c3aa1720f42d7425874", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/shutdown", "correlation_key": "fp|1092e4c46ea16e99d1edde5af7e00564c49fa15624ca9c3aa1720f42d7425874", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/app-shell.tsx"}, "region": {"startLine": 636}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 49775, "scanner": "repobility-journey-contract", "fingerprint": "4f3ef22fe16ec3b145510044803c0fa793d02298d15f1994a94ed75fdcb0f2b2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/preferences", "correlation_key": "fp|4f3ef22fe16ec3b145510044803c0fa793d02298d15f1994a94ed75fdcb0f2b2", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/app-shell.tsx"}, "region": {"startLine": 606}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /mcp-connections/route."}, "properties": {"repobilityId": 49774, "scanner": "repobility-access-control", "fingerprint": "1909b294921804fe5fb30390d007ce43cdc46c23c17e91fdfa461c76f1549019", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/mcp-connections/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|33|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/mcp-connections/route.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /mcp-connections/route."}, "properties": {"repobilityId": 49773, "scanner": "repobility-access-control", "fingerprint": "9f5e25724c065328976a8fa6f13c16ace78d2282ecdfd7addde05c8b76b7c2aa", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/mcp-connections/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|14|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/mcp-connections/route.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /preferences/route."}, "properties": {"repobilityId": 49772, "scanner": "repobility-access-control", "fingerprint": "a909812363392e3fbfc2bb89b76dfab5f8fa0332c344346ee1f12d122eaa69e4", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/preferences/route", "method": "PUT", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|47|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/preferences/route.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /preferences/route."}, "properties": {"repobilityId": 49771, "scanner": "repobility-access-control", "fingerprint": "04293089aaca1dc36689853a3f25862a4e1d7425e56371cfa8c7df9766046cd2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/preferences/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|27|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/preferences/route.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings-data/route."}, "properties": {"repobilityId": 49770, "scanner": "repobility-access-control", "fingerprint": "c2d1657e7f164f45ac5559eb1e2eef63e6650cf5327771fb608bb49da9301c34", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings-data/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|7|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/settings-data/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 14.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 49769, "scanner": "repobility-access-control", "fingerprint": "9881722652e1d068ff5485a6a0d618275a227181f7279ad2d42371e839f498ab", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 62, "correlation_key": "fp|9881722652e1d068ff5485a6a0d618275a227181f7279ad2d42371e839f498ab", "auth_visible_percent": 14.5}}}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 49735, "scanner": "repobility-threat-engine", "fingerprint": "bfa16812a196f8aa61352d1aa4f2f0d212ae51dabd5e54dbfd2670795510c260", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * chars.length));\n\t}\n\treturn nonce", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bfa16812a196f8aa61352d1aa4f2f0d212ae51dabd5e54dbfd2670795510c260"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vscode-extension/src/conversation-history.ts"}, "region": {"startLine": 425}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 49734, "scanner": "repobility-threat-engine", "fingerprint": "48ed7d9d07571eccd585fce15cae580fc3679e09d74e70f203a4f50c8c5a7d17", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(2, 10)}`,\n\t);\n\tmkdirSync(extractDir, { recursiv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|48ed7d9d07571eccd585fce15cae580fc3679e09d74e70f203a4f50c8c5a7d17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/utils/tools-manager.ts"}, "region": {"startLine": 188}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 49719, "scanner": "repobility-threat-engine", "fingerprint": "df95283ae850e0b5f1ecb45780cbfc634265d4005abf8e6f7ad854ebbc1ab217", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|df95283ae850e0b5f1ecb45780cbfc634265d4005abf8e6f7ad854ebbc1ab217"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vscode-extension/src/chat-participant.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 49718, "scanner": "repobility-threat-engine", "fingerprint": "139a3c522bde122b8c6087efada97580d956cd936e54080259b83345f203a683", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|139a3c522bde122b8c6087efada97580d956cd936e54080259b83345f203a683"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/notifications.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 49717, "scanner": "repobility-threat-engine", "fingerprint": "8fb174143efcb4e2b9ce1aaa33d0c65da20786ae6f0f30a5e8bb2b7f478be476", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8fb174143efcb4e2b9ce1aaa33d0c65da20786ae6f0f30a5e8bb2b7f478be476"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-agent-core/src/proxy.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 49707, "scanner": "repobility-threat-engine", "fingerprint": "ac7d09f43c212993fee5453983b7f06d920c295d0bb5fb1a0e509f8ebad15a7d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|207|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/export-html/ansi-to-html.ts"}, "region": {"startLine": 207}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 49706, "scanner": "repobility-threat-engine", "fingerprint": "76ce68b3a33877f34cde5ff87fbf75c8090638250033c296116c24f97100737c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|276|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/bash-executor.ts"}, "region": {"startLine": 276}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 49705, "scanner": "repobility-threat-engine", "fingerprint": "0b8146c73e93686b8f9d229dda9a6dae7af369eec4adf282871a7f060ce44764", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|88|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/readers/roadmap.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21949, "scanner": "repobility", "fingerprint": "d58072250af032791cbc80cde5e7b498", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 2", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/native/src/gsd-parser/index.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21948, "scanner": "repobility", "fingerprint": "260788a26fe16813b63b60cf87ca249d", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 3", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/native/src/text/index.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21947, "scanner": "repobility", "fingerprint": "b23ac41fc7c66b04a875a332e37f8f5f", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 3", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/native/src/text/index.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21946, "scanner": "repobility", "fingerprint": "bc6ce454c69635ce0b6835ca813bb6c7", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 16384", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/compaction/branch-summarization.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21945, "scanner": "repobility", "fingerprint": "63ff62121964e4c0723c621ebd1fc474", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 0", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/modes/interactive/components/visual-truncate.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21944, "scanner": "repobility", "fingerprint": "8a62bdeabe997b3b5748945f3d4b2704", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 5000", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/context7/index.ts"}, "region": {"startLine": 276}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21943, "scanner": "repobility", "fingerprint": "f5633205b42ad1136e7d1301d731f57e", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 5000", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/context7/index.ts"}, "region": {"startLine": 255}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21942, "scanner": "repobility", "fingerprint": "745e7228ce3c31d95443a89a630745f9", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 5000", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/context7/index.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21941, "scanner": "repobility", "fingerprint": "070af622641d29457d785dce783dbece", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 5", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/google-search/index.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21940, "scanner": "repobility", "fingerprint": "1fdd3e8e151a881f0fe3e488265680d0", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 5", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/async-jobs/job-manager.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21939, "scanner": "repobility", "fingerprint": "1c0774c49ce30b192f9c196f78f3b28a", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 100", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/async-jobs/job-manager.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21938, "scanner": "repobility", "fingerprint": "bf39b09740e9e326227e0c68deaab211", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 15", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/async-jobs/job-manager.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 17009, "scanner": "repobility", "fingerprint": "50ef87ed9892c13e8ef52116ac897b4e", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "console.log('\\n=== parseSecretsManifest: empty/no-secret", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/tests/parsers.test.ts"}, "region": {"startLine": 1339}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 17008, "scanner": "repobility", "fingerprint": "8459515b2d0167aef62d59cd0794177f", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "console.log(\"\\n=== must-haves: substring matching (no backtick token", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/tests/unit-runtime.test.ts"}, "region": {"startLine": 194}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14204, "scanner": "repobility", "fingerprint": "73a0c968e6ce4bedb8ad256de1409f2b", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/utils/git.ts"}, "region": {"startLine": 155}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14203, "scanner": "repobility", "fingerprint": "4716ada0f33789d72a3f0c9a70af33e8", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/utils/git.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14202, "scanner": "repobility", "fingerprint": "437c78c26f3bf208ab36c31a052b6223", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "fixed", "verdict": "likely_fp", "isResolved": true, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/browser-tools/tests/browser-tools-unit.test.cjs"}, "region": {"startLine": 509}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14201, "scanner": "repobility", "fingerprint": "95056d6cb740c2b2787ae2584bdbf9de", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "fixed", "verdict": "likely_fp", "isResolved": true, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/browser-tools/tests/browser-tools-unit.test.cjs"}, "region": {"startLine": 489}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14200, "scanner": "repobility", "fingerprint": "74db3a949cef6c794a8bc0adf0de09c6", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "fixed", "verdict": "likely_fp", "isResolved": true, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/browser-tools/tests/browser-tools-unit.test.cjs"}, "region": {"startLine": 482}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14199, "scanner": "repobility", "fingerprint": "2d0b948629108d47ca54436e938fdb0c", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "fixed", "verdict": "likely_fp", "isResolved": true, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/browser-tools/tests/browser-tools-unit.test.cjs"}, "region": {"startLine": 475}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6285, "scanner": "repobility-journey-contract", "fingerprint": "7a44b4ba6aa28d42bf3a10f4d89fa91181d1b21b5492c5660943ec5d393ad1ac", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/preferences", "correlation_key": "fp|7a44b4ba6aa28d42bf3a10f4d89fa91181d1b21b5492c5660943ec5d393ad1ac", "backend_endpoint_count": 60}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/onboarding/step-dev-root.tsx"}, "region": {"startLine": 180}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6284, "scanner": "repobility-journey-contract", "fingerprint": "a6efa6640f8519d7a2bf11937d1cebc35fa1f1eea9c120bc8593934641144bab", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/browse-directories{param}", "correlation_key": "fp|a6efa6640f8519d7a2bf11937d1cebc35fa1f1eea9c120bc8593934641144bab", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/onboarding/step-dev-root.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6283, "scanner": "repobility-journey-contract", "fingerprint": "db43ac4d27930ce6cde8edeb67ed50c9b1df476445b44a3ef815c5fe6fe952c0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/terminal/upload", "correlation_key": "fp|db43ac4d27930ce6cde8edeb67ed50c9b1df476445b44a3ef815c5fe6fe952c0", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/main-session-terminal.tsx"}, "region": {"startLine": 342}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6282, "scanner": "repobility-journey-contract", "fingerprint": "e622c8be848c0276b0eeabf25b4e043180dc960aa2320c24845b04baef1fe98e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/bridge-terminal/stream", "correlation_key": "fp|e622c8be848c0276b0eeabf25b4e043180dc960aa2320c24845b04baef1fe98e", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/main-session-terminal.tsx"}, "region": {"startLine": 195}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6281, "scanner": "repobility-journey-contract", "fingerprint": "ee376bd0f25841e82989566513baab58929267e98acc752009648432124b2277", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/bridge-terminal/resize", "correlation_key": "fp|ee376bd0f25841e82989566513baab58929267e98acc752009648432124b2277", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/main-session-terminal.tsx"}, "region": {"startLine": 134}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6280, "scanner": "repobility-journey-contract", "fingerprint": "45b6cc5cdc1d9cb3035b82ef99a3e9f97a46f8dd26762e01cf3671cde7f7cb54", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/bridge-terminal/input", "correlation_key": "fp|45b6cc5cdc1d9cb3035b82ef99a3e9f97a46f8dd26762e01cf3671cde7f7cb54", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/main-session-terminal.tsx"}, "region": {"startLine": 106}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6279, "scanner": "repobility-journey-contract", "fingerprint": "9855b1b25ca12ca5a4c8fbef46a624a97f188965c7b68a31a59d4c809ef1b14c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/files", "correlation_key": "fp|9855b1b25ca12ca5a4c8fbef46a624a97f188965c7b68a31a59d4c809ef1b14c", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/files-view.tsx"}, "region": {"startLine": 1007}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6278, "scanner": "repobility-journey-contract", "fingerprint": "951f8a1c3f030bd1fdbb70abe111cd53d16290ceeed381d09c5f1179acbabc14", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/files", "correlation_key": "fp|951f8a1c3f030bd1fdbb70abe111cd53d16290ceeed381d09c5f1179acbabc14", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/files-view.tsx"}, "region": {"startLine": 986}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6277, "scanner": "repobility-journey-contract", "fingerprint": "56726b9f6c3d33759448f0d744f3eecfdc446cdfa674bb9cf107156c87138fdd", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/files", "correlation_key": "fp|56726b9f6c3d33759448f0d744f3eecfdc446cdfa674bb9cf107156c87138fdd", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/files-view.tsx"}, "region": {"startLine": 868}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6276, "scanner": "repobility-journey-contract", "fingerprint": "719e626aea86fad9f467f7bdba1e8e65e3b24fdf248bf219ade32965e25148fd", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/files", "correlation_key": "fp|719e626aea86fad9f467f7bdba1e8e65e3b24fdf248bf219ade32965e25148fd", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/files-view.tsx"}, "region": {"startLine": 828}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6275, "scanner": "repobility-journey-contract", "fingerprint": "6eb76acff734081b59035f8735aa3a55b53f5ab96dc719754f967b8d8a209d88", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/files", "correlation_key": "fp|6eb76acff734081b59035f8735aa3a55b53f5ab96dc719754f967b8d8a209d88", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/files-view.tsx"}, "region": {"startLine": 739}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6274, "scanner": "repobility-journey-contract", "fingerprint": "14136444a95f08fb89a67cfdf241ce0fd910df069c0722a3fa5873ae4e16bbf3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/files", "correlation_key": "fp|14136444a95f08fb89a67cfdf241ce0fd910df069c0722a3fa5873ae4e16bbf3", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/files-view.tsx"}, "region": {"startLine": 563}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6273, "scanner": "repobility-journey-contract", "fingerprint": "da21bb1c57c5b8bb9e61dc79765ee81ac499e1d3e9c1189075d641d6f9c2b75a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/visualizer", "correlation_key": "fp|da21bb1c57c5b8bb9e61dc79765ee81ac499e1d3e9c1189075d641d6f9c2b75a", "backend_endpoint_count": 60}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/dashboard.tsx"}, "region": {"startLine": 134}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 6272, "scanner": "repobility-journey-contract", "fingerprint": "2a4b5a673aee79ba10efa289b824ea3bad8e99d4ef17a88dc5a4de650bfc20b0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/shutdown", "correlation_key": "fp|2a4b5a673aee79ba10efa289b824ea3bad8e99d4ef17a88dc5a4de650bfc20b0", "backend_endpoint_count": 60}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/app-shell.tsx"}, "region": {"startLine": 610}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 6271, "scanner": "repobility-journey-contract", "fingerprint": "efa42941a3020b7397c5637d4ff8bb07e464907f58ba03307856d3365470d73f", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|web/lib/auth.ts|47|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/lib/auth.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /steer/route."}, "properties": {"repobilityId": 6270, "scanner": "repobility-access-control", "fingerprint": "c876f833dcfb1f7cbaebb23b54f505d38a84951f6de75c455dc4d2be05478cee", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/steer/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|web/app/api/steer/route.ts|10|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/steer/route.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /update/route."}, "properties": {"repobilityId": 6269, "scanner": "repobility-access-control", "fingerprint": "7f94a0cca3ead08ecde387eb062545205606d66d11d7c175d677fd3778e5ec0c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/update/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|web/app/api/update/route.ts|44|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/update/route.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /update/route."}, "properties": {"repobilityId": 6268, "scanner": "repobility-access-control", "fingerprint": "6e18cdc720ecc1d46465a6d1fb7c92ab1c52d446c1f51c72574905bc0d2fe8d6", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/update/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|web/app/api/update/route.ts|11|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/update/route.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /live-state/route."}, "properties": {"repobilityId": 6267, "scanner": "repobility-access-control", "fingerprint": "3c4558c692656a821e11f59d9a2ff6e3283932ccddc9236c38179abbb0d2c87e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/live-state/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|24|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/live-state/route.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /cleanup/route."}, "properties": {"repobilityId": 6266, "scanner": "repobility-access-control", "fingerprint": "7e7124deca03bd44641e29d38ba88a220ebbea028d76d8503107e187d5adbbbb", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/cleanup/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|30|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/cleanup/route.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /preferences/route."}, "properties": {"repobilityId": 6265, "scanner": "repobility-access-control", "fingerprint": "f14bed013c82ad732a346a67a78bcf37cc0997a308e2cb339b086ea179f15cf8", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/preferences/route", "method": "PUT", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|32|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/preferences/route.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /session/manage/route."}, "properties": {"repobilityId": 6264, "scanner": "repobility-access-control", "fingerprint": "7f94ce29c18b4c34126ace52193b52c5698d934f9284d2ee49a634f432b5b437", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/session/manage/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|50|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/session/manage/route.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /terminal/resize/route."}, "properties": {"repobilityId": 6263, "scanner": "repobility-access-control", "fingerprint": "6b1573f57a7ccdefa946494e5051d0a0d0a9721a6f489cbc782da0ab89a4af7f", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/terminal/resize/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|13|auc004", "duplicate_count": 1, "identity_targets": ["authenticated", "admin"], "duplicate_rule_ids": ["AUC004"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["5ca96a6556a7f498475c2f64b066a4def25d73134cfd829ea4f7da3a96fb78eb", "6b1573f57a7ccdefa946494e5051d0a0d0a9721a6f489cbc782da0ab89a4af7f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/terminal/resize/route.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /visualizer/route."}, "properties": {"repobilityId": 6262, "scanner": "repobility-access-control", "fingerprint": "6ec392c2f635cc45134db9207948c5acc3f3cf8f93a774376aa8dd0c9bae4c6f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/visualizer/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|7|auc009", "duplicate_count": 2, "identity_targets": ["unknown"], "duplicate_rule_ids": ["AUC009"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["6669af642ea2a0496d3e3859eb117715cb45f930464e8f1299bb7941124d8c9f", "6ec392c2f635cc45134db9207948c5acc3f3cf8f93a774376aa8dd0c9bae4c6f", "a795727a94420f8879576df65db7409dd801a46838aa5ae569dd9c9ab24d40c6"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/visualizer/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 15.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 6261, "scanner": "repobility-access-control", "fingerprint": "4e770ac20ee6809bf40f488956fa7ee64caa8770f9fe6e375bada3724a38b60b", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 60, "correlation_key": "fp|4e770ac20ee6809bf40f488956fa7ee64caa8770f9fe6e375bada3724a38b60b", "auth_visible_percent": 15.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 6260, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 6257, "scanner": "repobility-docker", "fingerprint": "4ec8977eddc1dfd7781c6b39a8b6456b7338d5b7f6333731329c77665abf4cce", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24-bookworm-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4ec8977eddc1dfd7781c6b39a8b6456b7338d5b7f6333731329c77665abf4cce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.sandbox"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 6256, "scanner": "repobility-docker", "fingerprint": "d0f0881a624a71c76f9e77e4c377542768a2d8434dc51c1d6f13a1c7ee466d16", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d0f0881a624a71c76f9e77e4c377542768a2d8434dc51c1d6f13a1c7ee466d16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.ci-builder"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 6253, "scanner": "repobility-docker", "fingerprint": "fd1a36829bfcc153393f56643ede68ab8d0139402573706dba145cc978e14382", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fd1a36829bfcc153393f56643ede68ab8d0139402573706dba145cc978e14382"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 6245, "scanner": "repobility-threat-engine", "fingerprint": "a95c4f310a40e6b2be6493b7430bee70d0a9f766506eaa80ba5039393f178845", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a95c4f310a40e6b2be6493b7430bee70d0a9f766506eaa80ba5039393f178845"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/compaction-orchestrator.ts"}, "region": {"startLine": 429}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 6244, "scanner": "repobility-threat-engine", "fingerprint": "edae90219ffe5cc0e93e9e97cbfe7a1c136853d8c607c8f05b1adc474c852927", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|edae90219ffe5cc0e93e9e97cbfe7a1c136853d8c607c8f05b1adc474c852927"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google-gemini-cli.ts"}, "region": {"startLine": 525}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 6243, "scanner": "repobility-threat-engine", "fingerprint": "c46fa2adf58471a927ea70bbbc96a3ac8a7a8965802a6deb37aa5c4e237982aa", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c46fa2adf58471a927ea70bbbc96a3ac8a7a8965802a6deb37aa5c4e237982aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli.ts"}, "region": {"startLine": 544}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 6238, "scanner": "repobility-agent-runtime", "fingerprint": "47e16ce2e33cc15588890643be98d7ba9f4408fa34c8862130ed2b52e7d43a54", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|47e16ce2e33cc15588890643be98d7ba9f4408fa34c8862130ed2b52e7d43a54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/zh-CN/user-docs/getting-started.md"}, "region": {"startLine": 205}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6227, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5dce4e2b5291026169294ba90c285fa5a68725b6dc3801231c9905161389b1fc", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/daemon/src/session-manager.ts", "duplicate_line": 17, "correlation_key": "fp|5dce4e2b5291026169294ba90c285fa5a68725b6dc3801231c9905161389b1fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/session-manager.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49768, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ce14f2a02ce0ac4e42667f72eb401418b5aed8ca7d33151b7be249e5d435fa61", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-coding-agent/src/core/tools/hashline-read.ts", "duplicate_line": 52, "correlation_key": "fp|ce14f2a02ce0ac4e42667f72eb401418b5aed8ca7d33151b7be249e5d435fa61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/tools/read.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49767, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff6918cdecd88d995bba00fb7b31de7861fc8f605a9564e239c305680fc28daf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-coding-agent/src/core/tools/edit.ts", "duplicate_line": 59, "correlation_key": "fp|ff6918cdecd88d995bba00fb7b31de7861fc8f605a9564e239c305680fc28daf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/tools/hashline-read.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49766, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bf360cdf9185f318f467592ebb7bf158ad229dc27bf8eea64b493ca469629148", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-coding-agent/src/core/tools/edit.ts", "duplicate_line": 58, "correlation_key": "fp|bf360cdf9185f318f467592ebb7bf158ad229dc27bf8eea64b493ca469629148"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/tools/hashline-edit.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49765, "scanner": "repobility-ai-code-hygiene", "fingerprint": "332d03e3b373c18add5e1accd212c0322bb8ecaa3569e1266e93687a8f6aafbd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-coding-agent/src/core/lock-utils.ts", "duplicate_line": 13, "correlation_key": "fp|332d03e3b373c18add5e1accd212c0322bb8ecaa3569e1266e93687a8f6aafbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/models-json-writer.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49764, "scanner": "repobility-ai-code-hygiene", "fingerprint": "037a7b35df116a3ccb2ba147399bee11115b89d725efb45f76093c241eafa4ca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-coding-agent/src/core/extensions/extension-manifest.ts", "duplicate_line": 2, "correlation_key": "fp|037a7b35df116a3ccb2ba147399bee11115b89d725efb45f76093c241eafa4ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/extensions/extension-registry.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49763, "scanner": "repobility-ai-code-hygiene", "fingerprint": "de9763701cb4bf87ed7b67a9b26a30f7fac324b14d9904d7204b5e8620a51906", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/env-api-keys.ts", "duplicate_line": 80, "correlation_key": "fp|de9763701cb4bf87ed7b67a9b26a30f7fac324b14d9904d7204b5e8620a51906"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/web-runtime-env-api-keys.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49762, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1775cc59a6d836008494d281df52ec39143e7585174e3d4efa7ac580f602bdf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/utils/oauth/google-antigravity.ts", "duplicate_line": 91, "correlation_key": "fp|d1775cc59a6d836008494d281df52ec39143e7585174e3d4efa7ac580f602bdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/utils/oauth/google-gemini-cli.ts"}, "region": {"startLine": 198}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49761, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ed6972bcdd3c6e9db72013681a4744b078f65c9c3fb9f11b78daff8e5adc02e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/mistral.ts", "duplicate_line": 114, "correlation_key": "fp|4ed6972bcdd3c6e9db72013681a4744b078f65c9c3fb9f11b78daff8e5adc02e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/openai-shared.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49760, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f093b2ac782b1b86b056ac1a33409c464d20cfeee8018b049c8c1da7fa79bdf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/amazon-bedrock.ts", "duplicate_line": 66, "correlation_key": "fp|4f093b2ac782b1b86b056ac1a33409c464d20cfeee8018b049c8c1da7fa79bdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/openai-shared.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49759, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48edd2ab4557cdb1761f29ae8146eb48c7ff9291451c94dd20bb451a5272cae0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/anthropic-shared.ts", "duplicate_line": 540, "correlation_key": "fp|48edd2ab4557cdb1761f29ae8146eb48c7ff9291451c94dd20bb451a5272cae0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/openai-shared.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49758, "scanner": "repobility-ai-code-hygiene", "fingerprint": "05e7f26660604799ac3cb5ac895c814e0893dd6b67e3fa91af0340ed9e9f1dae", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/azure-openai-responses.ts", "duplicate_line": 191, "correlation_key": "fp|05e7f26660604799ac3cb5ac895c814e0893dd6b67e3fa91af0340ed9e9f1dae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/openai-responses.ts"}, "region": {"startLine": 132}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49757, "scanner": "repobility-ai-code-hygiene", "fingerprint": "db4bcdf6020c57707a74d2d56bb8f684eada186e1b4c37a797a1e7ed37106a54", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/google.ts", "duplicate_line": 66, "correlation_key": "fp|db4bcdf6020c57707a74d2d56bb8f684eada186e1b4c37a797a1e7ed37106a54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/openai-codex-responses.ts"}, "region": {"startLine": 173}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49756, "scanner": "repobility-ai-code-hygiene", "fingerprint": "237492493a15a719787f1bbdb31c86e477460fc3c882882389aa59f196b47c70", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/anthropic-shared.ts", "duplicate_line": 545, "correlation_key": "fp|237492493a15a719787f1bbdb31c86e477460fc3c882882389aa59f196b47c70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/openai-codex-responses.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49755, "scanner": "repobility-ai-code-hygiene", "fingerprint": "345341ef3eccfc6e1099dc4b5ca14c0736117ad7fc36a31516182c536ba11c35", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/amazon-bedrock.ts", "duplicate_line": 66, "correlation_key": "fp|345341ef3eccfc6e1099dc4b5ca14c0736117ad7fc36a31516182c536ba11c35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/openai-codex-responses.ts"}, "region": {"startLine": 170}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49754, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3b43a8764268706f6f5c02ddcd26f323b49060a4f3e0c99c9c227cdf9388551a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/google-gemini-cli.ts", "duplicate_line": 90, "correlation_key": "fp|3b43a8764268706f6f5c02ddcd26f323b49060a4f3e0c99c9c227cdf9388551a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/openai-codex-responses.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49753, "scanner": "repobility-ai-code-hygiene", "fingerprint": "34b94b5f019df7132b9a4434d7efdec713cefc452b2a82742c469f92d6f7ed96", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/amazon-bedrock.ts", "duplicate_line": 66, "correlation_key": "fp|34b94b5f019df7132b9a4434d7efdec713cefc452b2a82742c469f92d6f7ed96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/mistral.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49752, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84a3b99c00a44371953cbfec57af363c8c855e5b7ffe4ec0ce25c26bdc8e9617", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/fake.ts", "duplicate_line": 172, "correlation_key": "fp|84a3b99c00a44371953cbfec57af363c8c855e5b7ffe4ec0ce25c26bdc8e9617"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/mistral.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49751, "scanner": "repobility-ai-code-hygiene", "fingerprint": "95c619efeb2413653dc810ace206c6972e4619b9293eb04c3d45bec88020810b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/anthropic-shared.ts", "duplicate_line": 545, "correlation_key": "fp|95c619efeb2413653dc810ace206c6972e4619b9293eb04c3d45bec88020810b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 49750, "scanner": "repobility-ai-code-hygiene", "fingerprint": "314073c70fed52083ffcaa8405f60111c8598c9617b52315e936c4433c9f1a78", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/daemon/src/session-manager.ts", "duplicate_line": 23, "correlation_key": "fp|314073c70fed52083ffcaa8405f60111c8598c9617b52315e936c4433c9f1a78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/session-manager.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_close_issues` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=2, if=2, nested_bonus=4."}, "properties": {"repobilityId": 49744, "scanner": "repobility-threat-engine", "fingerprint": "f27d07157d82ae7d6fa9c1c6b2024309a5fe7c7c302106b8252e583a1082b0d4", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_close_issues", "breakdown": {"if": 2, "for": 2, "continue": 1, "nested_bonus": 4}, "complexity": 9, "correlation_key": "fp|f27d07157d82ae7d6fa9c1c6b2024309a5fe7c7c302106b8252e583a1082b0d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/scripts/experiment_cleanup.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `list_resources` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=4, if=2, nested_bonus=4, ternary=1."}, "properties": {"repobilityId": 49743, "scanner": "repobility-threat-engine", "fingerprint": "c4a2e646bd331bc9e1ca539e893e13bb7f5b0cf7a04f3fe4f76c13c96f854d8a", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "list_resources", "breakdown": {"if": 2, "for": 4, "ternary": 1, "continue": 1, "nested_bonus": 4}, "complexity": 12, "correlation_key": "fp|c4a2e646bd331bc9e1ca539e893e13bb7f5b0cf7a04f3fe4f76c13c96f854d8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/scripts/experiment_cleanup.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "QUAL004", "level": "note", "message": {"text": "Placeholder default username (admin/admin)"}, "properties": {"repobilityId": 22077, "scanner": "repobility", "fingerprint": "494f263a6c06eeb597548f9183e713f9", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "foo@bar.", "aljefra_cwe": ["CWE-1392", "CWE-798"], "aljefra_owasp": null, "aljefra_pattern_slug": "placeholder-default-username"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-tui/src/components/markdown.ts"}, "region": {"startLine": 470}}}]}, {"ruleId": "QUAL004", "level": "note", "message": {"text": "Placeholder default username (admin/admin)"}, "properties": {"repobilityId": 22076, "scanner": "repobility", "fingerprint": "5ae2b56272f508326204451bb5589337", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "test@test.", "aljefra_cwe": ["CWE-1392", "CWE-798"], "aljefra_owasp": null, "aljefra_pattern_slug": "placeholder-default-username"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/tests/git-service.test.ts"}, "region": {"startLine": 979}}}]}, {"ruleId": "QUAL004", "level": "note", "message": {"text": "Placeholder default username (admin/admin)"}, "properties": {"repobilityId": 22075, "scanner": "repobility", "fingerprint": "c223de14650eddf983dcab737fb96058", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "test@test.", "aljefra_cwe": ["CWE-1392", "CWE-798"], "aljefra_owasp": null, "aljefra_pattern_slug": "placeholder-default-username"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/tests/auto-worktree.test.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "QUAL004", "level": "note", "message": {"text": "Placeholder default username (admin/admin)"}, "properties": {"repobilityId": 22074, "scanner": "repobility", "fingerprint": "930629d2ec3c4d56e3554d8d3e7d47bd", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "test@test.", "aljefra_cwe": ["CWE-1392", "CWE-798"], "aljefra_owasp": null, "aljefra_pattern_slug": "placeholder-default-username"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/tests/auto-worktree-milestone-merge.test.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "QUAL004", "level": "note", "message": {"text": "Placeholder default username (admin/admin)"}, "properties": {"repobilityId": 22073, "scanner": "repobility", "fingerprint": "93e15edd9735de9c157405ed14dc9518", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "test@test.", "aljefra_cwe": ["CWE-1392", "CWE-798"], "aljefra_owasp": null, "aljefra_pattern_slug": "placeholder-default-username"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/tests/worktree-e2e.test.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "QUAL004", "level": "note", "message": {"text": "Placeholder default username (admin/admin)"}, "properties": {"repobilityId": 22072, "scanner": "repobility", "fingerprint": "b4c50a1f214c566e7302cd9b34a0b91d", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "test@test.", "aljefra_cwe": ["CWE-1392", "CWE-798"], "aljefra_owasp": null, "aljefra_pattern_slug": "placeholder-default-username"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/tests/git-self-heal.test.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "QUAL004", "level": "note", "message": {"text": "Placeholder default username (admin/admin)"}, "properties": {"repobilityId": 22071, "scanner": "repobility", "fingerprint": "b0c8f8f2b991167ce4ab85d0a8ed0dfe", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "test@test.", "aljefra_cwe": ["CWE-1392", "CWE-798"], "aljefra_owasp": null, "aljefra_pattern_slug": "placeholder-default-username"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/tests/doctor-git.test.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "QUAL004", "level": "note", "message": {"text": "Placeholder default username (admin/admin)"}, "properties": {"repobilityId": 22070, "scanner": "repobility", "fingerprint": "c185aa0faf71a4ef7874c8c014e1d069", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "test@test.", "aljefra_cwe": ["CWE-1392", "CWE-798"], "aljefra_owasp": null, "aljefra_pattern_slug": "placeholder-default-username"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/tests/doctor-git.test.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6259, "scanner": "repobility-docker", "fingerprint": "811effad619f082c7dbaf89ce19da72ae754b998589a599f5ba747f5558bda72", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "gsd", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|811effad619f082c7dbaf89ce19da72ae754b998589a599f5ba747f5558bda72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6258, "scanner": "repobility-docker", "fingerprint": "909539467a9104c1aa907302e03d93cb733ccd16ff6338b2d0666346f543c959", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "gsd", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|909539467a9104c1aa907302e03d93cb733ccd16ff6338b2d0666346f543c959"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 6254, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 6252, "scanner": "repobility-threat-engine", "fingerprint": "628e243c6a5ac0cecd2f1636f801eb9b72420368ed2731563cdae6336d27a4f1", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = g", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|705|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/export-html/template.js"}, "region": {"startLine": 705}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6237, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65b2f50098cbf9b8cd0106085ecc4cebc5ad13e0d03c4178c51237241bc9203f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/amazon-bedrock.ts", "duplicate_line": 66, "correlation_key": "fp|65b2f50098cbf9b8cd0106085ecc4cebc5ad13e0d03c4178c51237241bc9203f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6236, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca35036fdb275e20863540e06776ea9fe5942a8e269728bf10ffa386440f4859", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/google-vertex.ts", "duplicate_line": 20, "correlation_key": "fp|ca35036fdb275e20863540e06776ea9fe5942a8e269728bf10ffa386440f4859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6235, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f48d0eed302335a8fcee93ce8277b1c1fb3dcd738e02f5b824dd8e3b8076b9ea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/google-gemini-cli.ts", "duplicate_line": 2, "correlation_key": "fp|f48d0eed302335a8fcee93ce8277b1c1fb3dcd738e02f5b824dd8e3b8076b9ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6234, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c850938667ef1945dd9093676dde0765e6f44a96700c1539abade84d92fffb45", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/google-gemini-cli.ts", "duplicate_line": 448, "correlation_key": "fp|c850938667ef1945dd9093676dde0765e6f44a96700c1539abade84d92fffb45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google-vertex.ts"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6233, "scanner": "repobility-ai-code-hygiene", "fingerprint": "632abd14e230f29f11202aa4c665f6da87b1649e09ca7ad8f30cc5e7fc3e6e78", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/anthropic-shared.ts", "duplicate_line": 545, "correlation_key": "fp|632abd14e230f29f11202aa4c665f6da87b1649e09ca7ad8f30cc5e7fc3e6e78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google-vertex.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6232, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d96740fb5956b8c711f8fddf68ec6efbcb435baf0990886249155bce4eb2e238", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/amazon-bedrock.ts", "duplicate_line": 66, "correlation_key": "fp|d96740fb5956b8c711f8fddf68ec6efbcb435baf0990886249155bce4eb2e238"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google-vertex.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6231, "scanner": "repobility-ai-code-hygiene", "fingerprint": "26cbfb0717049de8f8c8649e5c4ee4ed67111a66090f9f6ac0702f06f6d0f9ec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/anthropic-shared.ts", "duplicate_line": 545, "correlation_key": "fp|26cbfb0717049de8f8c8649e5c4ee4ed67111a66090f9f6ac0702f06f6d0f9ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google-gemini-cli.ts"}, "region": {"startLine": 260}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6230, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cc79cb39119148062f2a0df4f29f5eccbf0d557899031e1b878eb67e174ef022", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/amazon-bedrock.ts", "duplicate_line": 66, "correlation_key": "fp|cc79cb39119148062f2a0df4f29f5eccbf0d557899031e1b878eb67e174ef022"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google-gemini-cli.ts"}, "region": {"startLine": 258}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6229, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b806209eeaa467d47a3c33ca403c91c1bc08f10fa9126b374bd9ea92aa9aac60", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/amazon-bedrock.ts", "duplicate_line": 334, "correlation_key": "fp|b806209eeaa467d47a3c33ca403c91c1bc08f10fa9126b374bd9ea92aa9aac60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/anthropic-shared.ts"}, "region": {"startLine": 133}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6228, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b2712b9c61d73b947468dfac2817b7397b4fb7e0242f12e8e7f544efa94b01f1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/daemon/src/types.ts", "duplicate_line": 37, "correlation_key": "fp|b2712b9c61d73b947468dfac2817b7397b4fb7e0242f12e8e7f544efa94b01f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/types.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6226, "scanner": "repobility-ai-code-hygiene", "fingerprint": "766416315cbc6e2f4283ab00d9657046e4e6e9f784483dd28e2082bb4fec1468", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "native/crates/ast/src/glob_util.rs", "duplicate_line": 1, "correlation_key": "fp|766416315cbc6e2f4283ab00d9657046e4e6e9f784483dd28e2082bb4fec1468"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/crates/engine/src/glob_util.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 6225, "scanner": "repobility-ai-code-hygiene", "fingerprint": "29b8e32f8b083183486ef4fe0b1bfc6397d015f016787bb4d842242c668d6e32", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v2", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|29b8e32f8b083183486ef4fe0b1bfc6397d015f016787bb4d842242c668d6e32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/uok/plan-v2.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 6224, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e47ed643fa87d97a13a7625026cccbd98e27ce24bc3dedabf6c10699cdbfc5ec", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "backup", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|e47ed643fa87d97a13a7625026cccbd98e27ce24bc3dedabf6c10699cdbfc5ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/db-migration-backup.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 49749, "scanner": "repobility-threat-engine", "fingerprint": "88839d9f0adcb2a4e3943d9d358842eca000841c4628d02acb65dc38c5f6b367", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88839d9f0adcb2a4e3943d9d358842eca000841c4628d02acb65dc38c5f6b367"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/ui/chart.tsx"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 49748, "scanner": "repobility-threat-engine", "fingerprint": "5fe2cf04427df05fc0aef7cf138aa979c1fc3f2cedae48cbd068d6e07c3f09f1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5fe2cf04427df05fc0aef7cf138aa979c1fc3f2cedae48cbd068d6e07c3f09f1", "aggregated_count": 2}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 49747, "scanner": "repobility-threat-engine", "fingerprint": "b6d80bb2a64b217561a710842192b86bd3032a660fede2bbef7935b98c6d842c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b6d80bb2a64b217561a710842192b86bd3032a660fede2bbef7935b98c6d842c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/project-welcome.tsx"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 49746, "scanner": "repobility-threat-engine", "fingerprint": "6fa505459b24554893653e915695a26554455c96c64e1b13974ddce56b759ea5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6fa505459b24554893653e915695a26554455c96c64e1b13974ddce56b759ea5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/onboarding-gate.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 49745, "scanner": "repobility-threat-engine", "fingerprint": "9625f3fb38f7dbb0a54ec53ae6a8da6a9de4790f4fc6ab475ba448ba392bbfae", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9625f3fb38f7dbb0a54ec53ae6a8da6a9de4790f4fc6ab475ba448ba392bbfae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/loading-skeletons.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 49742, "scanner": "repobility-threat-engine", "fingerprint": "2e03d00c873bcf0c2b3bbf56765c22bc743be69c99e9f6461e21d37e7fb04b6d", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "PASSWORD='<redacted>'", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|6|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/agent-browser/templates/authenticated-session.sh"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 49737, "scanner": "repobility-threat-engine", "fingerprint": "ef6648174e9bc7ec97b48136d8afbf8d25a754af5076f228ffb9eb95ae3229cd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ef6648174e9bc7ec97b48136d8afbf8d25a754af5076f228ffb9eb95ae3229cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/tui-open-surface-demo.mjs"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 49733, "scanner": "repobility-threat-engine", "fingerprint": "307b83d0878b11fa19a7733164345f24af7c2d92857c6a47165c71bc989c75ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|307b83d0878b11fa19a7733164345f24af7c2d92857c6a47165c71bc989c75ca"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 41 more): Same pattern found in 41 additional files. Review if needed."}, "properties": {"repobilityId": 49728, "scanner": "repobility-threat-engine", "fingerprint": "d7607273fe5f14fcf46e7f8983176d1b193e6925004b1a1c1ea7f0f836f04911", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 41 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 41 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d7607273fe5f14fcf46e7f8983176d1b193e6925004b1a1c1ea7f0f836f04911"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "properties": {"repobilityId": 49724, "scanner": "repobility-threat-engine", "fingerprint": "db70c69dfa59d9439f29e5d6ac7bb18aabe13af116e16c9ad57e2c69b7a91271", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 38 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|db70c69dfa59d9439f29e5d6ac7bb18aabe13af116e16c9ad57e2c69b7a91271", "aggregated_count": 38}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 49723, "scanner": "repobility-threat-engine", "fingerprint": "5d194882e38522e7822cd0f32434a92049347c7898e1000030c12df74d36a54b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d194882e38522e7822cd0f32434a92049347c7898e1000030c12df74d36a54b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/blob-store.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 49722, "scanner": "repobility-threat-engine", "fingerprint": "819f180b35c1a3a04c33be1d7a70987be1c6bf6555dfdb556f15735d0d661264", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|819f180b35c1a3a04c33be1d7a70987be1c6bf6555dfdb556f15735d0d661264"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/utils/validation.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 49721, "scanner": "repobility-threat-engine", "fingerprint": "ec99ca76b395ac2cf2f5d856e4fa23124f631f455cc6f8e14262ef96210ed7c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ec99ca76b395ac2cf2f5d856e4fa23124f631f455cc6f8e14262ef96210ed7c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/env-api-keys.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 49720, "scanner": "repobility-threat-engine", "fingerprint": "e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "properties": {"repobilityId": 49716, "scanner": "repobility-threat-engine", "fingerprint": "2ac0a4d3efedf85ead2a002006d98ba7a758e69eba354c87e87b620c353f1d10", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2ac0a4d3efedf85ead2a002006d98ba7a758e69eba354c87e87b620c353f1d10", "aggregated_count": 26}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 49715, "scanner": "repobility-threat-engine", "fingerprint": "d95223470e65c2a7f5610716f41a04633cf5a32a2062ac2970a90a80857dcf79", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d95223470e65c2a7f5610716f41a04633cf5a32a2062ac2970a90a80857dcf79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/utils/typebox-helpers.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 49714, "scanner": "repobility-threat-engine", "fingerprint": "4c3068fd3c8e6a4c14d6ca1ce520348449084630951d500a1a89bbbf23011235", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4c3068fd3c8e6a4c14d6ca1ce520348449084630951d500a1a89bbbf23011235"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/utils/event-stream.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 49713, "scanner": "repobility-threat-engine", "fingerprint": "2d92709e4c4c9087e95fef4f98af18a7cce8dc8b042c8801d486500bda2a2316", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2d92709e4c4c9087e95fef4f98af18a7cce8dc8b042c8801d486500bda2a2316"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-agent-core/src/proxy.ts"}, "region": {"startLine": 290}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "properties": {"repobilityId": 49712, "scanner": "repobility-threat-engine", "fingerprint": "38b1728eef3af78497dc0bdec64f0c5e55e7ceab0e2569c0963b539f6435608f", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|38b1728eef3af78497dc0bdec64f0c5e55e7ceab0e2569c0963b539f6435608f"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "properties": {"repobilityId": 49708, "scanner": "repobility-threat-engine", "fingerprint": "3ab4586a3db8c5d3564335dc0392f39671d03d5fced905bd1eb16e59bcf6301f", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3ab4586a3db8c5d3564335dc0392f39671d03d5fced905bd1eb16e59bcf6301f"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 49704, "scanner": "repobility-threat-engine", "fingerprint": "71fddcc370b2e8808253283f75ceceba2d4119bdff282f23d18d139433d3219c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|71fddcc370b2e8808253283f75ceceba2d4119bdff282f23d18d139433d3219c"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 49700, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 49699, "scanner": "repobility-threat-engine", "fingerprint": "6a2e225d6d8eeb57eeca8a3fdb03200deb0cbff4cc0ba1c0ebba58fde9421277", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a2e225d6d8eeb57eeca8a3fdb03200deb0cbff4cc0ba1c0ebba58fde9421277"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/ollama/ollama-client.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 49698, "scanner": "repobility-threat-engine", "fingerprint": "f16f545a797aeed41d7cc7ed4540d24cf2b09a72dc5019e7e71a66e5dff4c3a5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f16f545a797aeed41d7cc7ed4540d24cf2b09a72dc5019e7e71a66e5dff4c3a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/utils/git.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 49697, "scanner": "repobility-threat-engine", "fingerprint": "f16188e669068929b098595565e661c46db51afbfccce9b472a3e93a38cc9ebb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f16188e669068929b098595565e661c46db51afbfccce9b472a3e93a38cc9ebb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/daemon/src/launchd.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 49696, "scanner": "repobility-threat-engine", "fingerprint": "084288a32066b4c94a5b94b7c2d63f6615a308dfb9be963c394f4fde1bb0b8f0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|084288a32066b4c94a5b94b7c2d63f6615a308dfb9be963c394f4fde1bb0b8f0"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "properties": {"repobilityId": 49692, "scanner": "repobility-threat-engine", "fingerprint": "9ff29688365d7a1b29fad589162cf862a45f8f595399e6838a585c35051db6fb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 47 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9ff29688365d7a1b29fad589162cf862a45f8f595399e6838a585c35051db6fb", "aggregated_count": 47}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 49691, "scanner": "repobility-threat-engine", "fingerprint": "ed59239621d706baaa2596fd6fb71124604a2d56502e30e9662d485197470934", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ed59239621d706baaa2596fd6fb71124604a2d56502e30e9662d485197470934"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-agent-core/src/proxy.ts"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 49690, "scanner": "repobility-threat-engine", "fingerprint": "87b34c63fe5fcaff3d05c11571a012a7ff49f77959fe2e2a686fc306fa561c68", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|87b34c63fe5fcaff3d05c11571a012a7ff49f77959fe2e2a686fc306fa561c68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/daemon/src/daemon.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 49689, "scanner": "repobility-threat-engine", "fingerprint": "2ab701c002d8328e0cd63e2b90843f84b7a1b99e5d075cd3b66ea02b051666ec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ab701c002d8328e0cd63e2b90843f84b7a1b99e5d075cd3b66ea02b051666ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/daemon/src/channel-manager.ts"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 43 more): Same pattern found in 43 additional files. Review if needed."}, "properties": {"repobilityId": 49688, "scanner": "repobility-threat-engine", "fingerprint": "330ab254c332cafa809654a3611ee12474cf59f4e948b53d93ed0d257910c029", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 43 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|330ab254c332cafa809654a3611ee12474cf59f4e948b53d93ed0d257910c029", "aggregated_count": 43}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 49687, "scanner": "repobility-threat-engine", "fingerprint": "f7ebb7b0c3222f6e357fab8ec8c16f93b310da03a88b27c9e5a020ceab749186", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f7ebb7b0c3222f6e357fab8ec8c16f93b310da03a88b27c9e5a020ceab749186"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-agent-core/src/proxy.ts"}, "region": {"startLine": 330}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 49686, "scanner": "repobility-threat-engine", "fingerprint": "8edf4c2974ed01db30879bc409f29345761bf1c64af03f1e1ec493bec320a7f2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8edf4c2974ed01db30879bc409f29345761bf1c64af03f1e1ec493bec320a7f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/scripts/sync-platform-versions.cjs"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 49685, "scanner": "repobility-threat-engine", "fingerprint": "c3948889004f6b792a4f8000b2fb317479c7f406e443910ecc51663b5bbd4ec1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c3948889004f6b792a4f8000b2fb317479c7f406e443910ecc51663b5bbd4ec1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/scripts/build.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 49684, "scanner": "repobility-threat-engine", "fingerprint": "8f9c03da27b674ce6b8cddee4fa5afae1a58a4d5f70b84e22facc5c5624cd928", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8f9c03da27b674ce6b8cddee4fa5afae1a58a4d5f70b84e22facc5c5624cd928"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/crates/engine/src/ps.rs"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 49683, "scanner": "repobility-threat-engine", "fingerprint": "8b2b7f1e75205ac34231b473c399662777d534515b51861480472a2bf633ef16", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8b2b7f1e75205ac34231b473c399662777d534515b51861480472a2bf633ef16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/crates/engine/src/truncate.rs"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 49682, "scanner": "repobility-threat-engine", "fingerprint": "8aa12113e52a32924a402c191e6c713a4a6749ec16c7c76d66eea7b9025ef40f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8aa12113e52a32924a402c191e6c713a4a6749ec16c7c76d66eea7b9025ef40f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/crates/engine/src/fd.rs"}, "region": {"startLine": 374}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 6250, "scanner": "repobility-threat-engine", "fingerprint": "b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 6249, "scanner": "repobility-threat-engine", "fingerprint": "843766487d2a2a3d52b4b0363535d751c7ac2ae46f4fb5608fef6ed30ea9becf", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(chalk.yellow(`${config.name} not found. Offline mode enabled, skipping download.`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|25|console.log chalk.yellow config.name not found. offline mode enabled skipping download."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/utils/tools-manager.ts"}, "region": {"startLine": 254}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 6248, "scanner": "repobility-threat-engine", "fingerprint": "bac82d41b210c447016924ad96a4206b3d671c90811ebf9af93f28e7dae1a4f9", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(\"  ANTHROPIC_API_KEY, OPENAI_API_KEY, GEMINI_API_KEY, etc.\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|59|console.error anthropic_api_key openai_api_key gemini_api_key etc."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/main.ts"}, "region": {"startLine": 593}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 6247, "scanner": "repobility-threat-engine", "fingerprint": "37ed492423fa534c0689a87168a90d627769050db4d7efc90749058f24fad560", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(\"[openai-codex] code->token failed:\", response.status, text)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|12|console.error openai-codex code- token failed: response.status text"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/utils/oauth/openai-codex.ts"}, "region": {"startLine": 130}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 6246, "scanner": "repobility-threat-engine", "fingerprint": "9cc98ec684a3e6bc47534b8969a978472a77e62faf58b476f27031bff834dc54", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9cc98ec684a3e6bc47534b8969a978472a77e62faf58b476f27031bff834dc54"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 6242, "scanner": "repobility-threat-engine", "fingerprint": "a0d26ba9b4df32e50ac3a2172c7bcb910780192e3d92aeb18151489dc0cd5980", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a0d26ba9b4df32e50ac3a2172c7bcb910780192e3d92aeb18151489dc0cd5980"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 6241, "scanner": "repobility-threat-engine", "fingerprint": "aa7c0cf36c1ecf2233f35fc43e2cbfb61c7e487095cb36a56a7ddcd6a3314b0a", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|188|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/utils/tools-manager.ts"}, "region": {"startLine": 188}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 6240, "scanner": "repobility-threat-engine", "fingerprint": "17df2830ba8e5b6ca298de794b805147f630cda1e5ab373e6782b16975e02135", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|948|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google-gemini-cli.ts"}, "region": {"startLine": 948}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 6239, "scanner": "repobility-threat-engine", "fingerprint": "1b66c8c380a1a0554d33d159f8a12ce106cb4bb9acec111386f62a4d806daad4", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|src/worktree-name-gen.ts|44|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/worktree-name-gen.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/gsd-build/gsd-ci-builder:latest` unpinned: `container/services image: ghcr.io/gsd-build/gsd-ci-builder:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 49824, "scanner": "repobility-supply-chain", "fingerprint": "77e7fe8bdaebb8237d4b3bbb5202acf5baad6f901f9e6383579d6265631a720e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|77e7fe8bdaebb8237d4b3bbb5202acf5baad6f901f9e6383579d6265631a720e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/next-publish.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49823, "scanner": "repobility-supply-chain", "fingerprint": "faebfbb37486dd9c2699cc57e5decab725d747373c403baf04173cfd70df58ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|faebfbb37486dd9c2699cc57e5decab725d747373c403baf04173cfd70df58ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/next-publish.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `useblacksmith/cache` pinned to mutable ref `@v5`: `uses: useblacksmith/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49822, "scanner": "repobility-supply-chain", "fingerprint": "1dc34504b4a6733e434c85366b16dcffa11f9e50ca670c6e1145603a4be44fea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1dc34504b4a6733e434c85366b16dcffa11f9e50ca670c6e1145603a4be44fea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prod-release.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49821, "scanner": "repobility-supply-chain", "fingerprint": "6121f6052f5e91eac00355ba4209bc53bf66af4ecdce9fc7cc3a3076552df371", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6121f6052f5e91eac00355ba4209bc53bf66af4ecdce9fc7cc3a3076552df371"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prod-release.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49820, "scanner": "repobility-supply-chain", "fingerprint": "fb511e1ce2ebe4db8b3bfc51ec6de8bbfd6c516b1f309f39bd0b95782e72e9ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fb511e1ce2ebe4db8b3bfc51ec6de8bbfd6c516b1f309f39bd0b95782e72e9ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prod-release.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49819, "scanner": "repobility-supply-chain", "fingerprint": "20f93789cbe32b27bba6e8c5316b2f9d14faa6f7a457d3a409392b523693e67a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20f93789cbe32b27bba6e8c5316b2f9d14faa6f7a457d3a409392b523693e67a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/issue-lifecycle.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49818, "scanner": "repobility-supply-chain", "fingerprint": "cd0513f7b5b79ade397348e23ac2de46058c25264657e735edd47e70e4a86f8d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd0513f7b5b79ade397348e23ac2de46058c25264657e735edd47e70e4a86f8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/issue-lifecycle.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49817, "scanner": "repobility-supply-chain", "fingerprint": "8afd93f47a8991bf753928afeca2d4b47406babc98226408c0b86d82f3a339cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8afd93f47a8991bf753928afeca2d4b47406babc98226408c0b86d82f3a339cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/issue-lifecycle.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49816, "scanner": "repobility-supply-chain", "fingerprint": "274a43e4adeaeeb98db5daf169a19677e8f3a7a0b3c56d2185f62596e310fff2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|274a43e4adeaeeb98db5daf169a19677e8f3a7a0b3c56d2185f62596e310fff2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/issue-lifecycle.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49815, "scanner": "repobility-supply-chain", "fingerprint": "3a049dd1dd0d53fcbdcf783f545fdd6f6ba9ed321c29b1d679416d26b14a8908", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3a049dd1dd0d53fcbdcf783f545fdd6f6ba9ed321c29b1d679416d26b14a8908"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/forensics-check.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49814, "scanner": "repobility-supply-chain", "fingerprint": "243667f5f043a51ffec33b93637d47b6aa24a851b34beab6bc7958cd4d5f5a77", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|243667f5f043a51ffec33b93637d47b6aa24a851b34beab6bc7958cd4d5f5a77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/forensics-check.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49813, "scanner": "repobility-supply-chain", "fingerprint": "e28cc7ea394f2e65bbbb2e7494668e2a49b7951743d50d14fae17cfb0b204a06", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e28cc7ea394f2e65bbbb2e7494668e2a49b7951743d50d14fae17cfb0b204a06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-audit.yml"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49812, "scanner": "repobility-supply-chain", "fingerprint": "70d4be7479f75ef7376cc44f3cee2d6afce8e8cd83167a39e806935a574d6743", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|70d4be7479f75ef7376cc44f3cee2d6afce8e8cd83167a39e806935a574d6743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-audit.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49811, "scanner": "repobility-supply-chain", "fingerprint": "f9731c00f6886c5a583eab48ddff8ab9b47d06b0333bde56fab73cdca5a513a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f9731c00f6886c5a583eab48ddff8ab9b47d06b0333bde56fab73cdca5a513a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-audit.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49810, "scanner": "repobility-supply-chain", "fingerprint": "d2cde7aafcf452eb29dc847a986128c3ca251acaeb58c544f13ea887843655bc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d2cde7aafcf452eb29dc847a986128c3ca251acaeb58c544f13ea887843655bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-audit.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49809, "scanner": "repobility-supply-chain", "fingerprint": "e3504642fed411d971a3f65f81aa8ffe97cba9555c65d20387583b902b5380bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e3504642fed411d971a3f65f81aa8ffe97cba9555c65d20387583b902b5380bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-audit.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49808, "scanner": "repobility-supply-chain", "fingerprint": "2573e3669798c0c7f0584a45ecd3a85114221cc41c5c7be2c7068d5bdf749945", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2573e3669798c0c7f0584a45ecd3a85114221cc41c5c7be2c7068d5bdf749945"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/agent-workflow-guard.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49807, "scanner": "repobility-supply-chain", "fingerprint": "c4c8d823827df0d8760ca464872deb798f9172077714ae033634c253eb33f6fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4c8d823827df0d8760ca464872deb798f9172077714ae033634c253eb33f6fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/agent-workflow-guard.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49806, "scanner": "repobility-supply-chain", "fingerprint": "35d2e1c396799952298131844d71fff78f2aeb9828bb591519c2e9c9b512fe88", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35d2e1c396799952298131844d71fff78f2aeb9828bb591519c2e9c9b512fe88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pipeline.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/gsd-build/gsd-ci-builder:latest` unpinned: `container/services image: ghcr.io/gsd-build/gsd-ci-builder:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 49805, "scanner": "repobility-supply-chain", "fingerprint": "b5f63dc38cd08e428a069de296e1afe22141b695b3d4cc2368e246bac1ba6c60", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b5f63dc38cd08e428a069de296e1afe22141b695b3d4cc2368e246bac1ba6c60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev-publish.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49804, "scanner": "repobility-supply-chain", "fingerprint": "e49e61e83ca4209bb9335277abc4d1ec2e4a2b9adeb2756c9908de42b701a13d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e49e61e83ca4209bb9335277abc4d1ec2e4a2b9adeb2756c9908de42b701a13d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev-publish.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49803, "scanner": "repobility-supply-chain", "fingerprint": "e6e390a0360042de2890beff96f33f3f13c7aa94eba839c1deb720acb4be9163", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6e390a0360042de2890beff96f33f3f13c7aa94eba839c1deb720acb4be9163"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev-publish.yml"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `useblacksmith/cache` pinned to mutable ref `@v5`: `uses: useblacksmith/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49802, "scanner": "repobility-supply-chain", "fingerprint": "639c7b9db22e4f24fd60718037922217bb3ca29722e9b799b386015d5c687581", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|639c7b9db22e4f24fd60718037922217bb3ca29722e9b799b386015d5c687581"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev-publish.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49801, "scanner": "repobility-supply-chain", "fingerprint": "6fc619faa1e753b60b8052850c8bfb89d286d050fa3e0a0126b2ec58c3c68dde", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6fc619faa1e753b60b8052850c8bfb89d286d050fa3e0a0126b2ec58c3c68dde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev-publish.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49800, "scanner": "repobility-supply-chain", "fingerprint": "69c600782a4eabe072663c321f9e54bdac8142f39a5a1433846cd7d0f85e23b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|69c600782a4eabe072663c321f9e54bdac8142f39a5a1433846cd7d0f85e23b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev-publish.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49799, "scanner": "repobility-supply-chain", "fingerprint": "927f8c2b4dbcf762aaac3465409be05e53bfc7852e051a22a76fabfb84b8368d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|927f8c2b4dbcf762aaac3465409be05e53bfc7852e051a22a76fabfb84b8368d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/version-check.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 49798, "scanner": "repobility-supply-chain", "fingerprint": "05847fedeef88a98bd83786f646d71c8005870ee7ce7e1f8b41a127a2a12cad2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05847fedeef88a98bd83786f646d71c8005870ee7ce7e1f8b41a127a2a12cad2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cleanup-dev-versions.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-bookworm-slim` not pinned by digest: `FROM node:24-bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 49797, "scanner": "repobility-supply-chain", "fingerprint": "76dc062e6f3705e052eddd5f735b671df743503ab9c6aa37b5367b5667d610c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76dc062e6f3705e052eddd5f735b671df743503ab9c6aa37b5367b5667d610c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.sandbox"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-bookworm` not pinned by digest: `FROM node:24-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 49796, "scanner": "repobility-supply-chain", "fingerprint": "67bd5084bc3d14ec07699a252051f23d74c493b0930d35fc2da134dcce140b35", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67bd5084bc3d14ec07699a252051f23d74c493b0930d35fc2da134dcce140b35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.ci-builder"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@gsd-build/contracts` pulled from URL/Git: `dependencies.@gsd-build/contracts` = `file:../packages/contracts` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 49795, "scanner": "repobility-supply-chain", "fingerprint": "d7b27a7ce235f956108b52438cefb228e4c9fd299a8047b2f98a788e0e225b96", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d7b27a7ce235f956108b52438cefb228e4c9fd299a8047b2f98a788e0e225b96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@gsd-build/contracts` pulled from URL/Git: `dependencies.@gsd-build/contracts` = `file:../packages/contracts` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 49794, "scanner": "repobility-supply-chain", "fingerprint": "7a1758612060bb84c829e9c055bef03a0d85fa413c349b828de57e3092dfe963", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a1758612060bb84c829e9c055bef03a0d85fa413c349b828de57e3092dfe963"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vscode-extension/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-slim` not pinned by digest: `FROM node:24-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 49793, "scanner": "repobility-supply-chain", "fingerprint": "3d8cce78f834189648f654f7d043f4e38771d723121a1ce31d2c141d49c402d5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d8cce78f834189648f654f7d043f4e38771d723121a1ce31d2c141d49c402d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-slim` not pinned by digest: `FROM node:24-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 49792, "scanner": "repobility-supply-chain", "fingerprint": "07b0e68f45f812b23c0bbc1b903d39624b320b4d49f5e7dfb5e260061fd707be", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07b0e68f45f812b23c0bbc1b903d39624b320b4d49f5e7dfb5e260061fd707be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_preserves_non_status_labels` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49791, "scanner": "repobility-ast-engine", "fingerprint": "3be143136c79e6d7c54baab0eed4eae2d0dd472a55751569a1fefcfbe9731fb5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3be143136c79e6d7c54baab0eed4eae2d0dd472a55751569a1fefcfbe9731fb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/tests/test_github_project_setup.py"}, "region": {"startLine": 530}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_per_issue_failure_continues_and_exits_nonzero` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49790, "scanner": "repobility-ast-engine", "fingerprint": "e83184e24339ada98ef726c19b5d76648633f3e0e8c5c53adff7a0109e7e6c84", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e83184e24339ada98ef726c19b5d76648633f3e0e8c5c53adff7a0109e7e6c84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/tests/test_github_project_setup.py"}, "region": {"startLine": 514}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_closed_milestone_exits_nonzero` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49789, "scanner": "repobility-ast-engine", "fingerprint": "bae9c798b16dbeac839b2df8fd34974fcfbba6f23efba49db8af31619165da28", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bae9c798b16dbeac839b2df8fd34974fcfbba6f23efba49db8af31619165da28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/tests/test_github_project_setup.py"}, "region": {"startLine": 459}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_summary_counts_reported` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49788, "scanner": "repobility-ast-engine", "fingerprint": "24fa5c56cabc126071f08123dbc18a367be6cf9db1c7fc074eca68fbdc663fd6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|24fa5c56cabc126071f08123dbc18a367be6cf9db1c7fc074eca68fbdc663fd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/tests/test_github_project_setup.py"}, "region": {"startLine": 441}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_creates_in_progress_label_when_missing` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49787, "scanner": "repobility-ast-engine", "fingerprint": "2f8f6d437e64c35f940b841070a59c7dc4b445ac35cae8ac87ee0aeadf1123ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2f8f6d437e64c35f940b841070a59c7dc4b445ac35cae8ac87ee0aeadf1123ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/tests/test_github_project_setup.py"}, "region": {"startLine": 421}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_skips_already_in_progress_issues` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49786, "scanner": "repobility-ast-engine", "fingerprint": "5a6619f5255220dca8c1ccbbd37f481a78319561333b95b819d2000a2c847f2f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5a6619f5255220dca8c1ccbbd37f481a78319561333b95b819d2000a2c847f2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/tests/test_github_project_setup.py"}, "region": {"startLine": 401}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_transitions_needs_grooming_to_in_progress` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 49785, "scanner": "repobility-ast-engine", "fingerprint": "6ee723ec668cd316b630c5894ecf479181512e264d56d581587142769ee3e4b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6ee723ec668cd316b630c5894ecf479181512e264d56d581587142769ee3e4b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/tests/test_github_project_setup.py"}, "region": {"startLine": 381}}}]}, {"ruleId": "SEC092", "level": "error", "message": {"text": "[SEC092] Go: SQL via fmt.Sprintf or string concat: SQL query constructed via Sprintf or `+` enables SQL injection. Ported from gosec G201 / G202 (Apache-2.0)."}, "properties": {"repobilityId": 49740, "scanner": "repobility-threat-engine", "fingerprint": "b85a0c191cb14048af1e98756ab6ad6ea41ef8d44a5c66c09bf73e3e029bbcd7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "db.exec(\n    \"CREATE UNIQUE INDEX IF NOT EXISTS idx_unit_dispatches_active_per_unit \"\n    +", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC092", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b85a0c191cb14048af1e98756ab6ad6ea41ef8d44a5c66c09bf73e3e029bbcd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/db-coordination-schema.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 49739, "scanner": "repobility-threat-engine", "fingerprint": "10c5f2a58b00d2a543d7ef8ac98b761f6599f926285687ac4770a810225b1081", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10c5f2a58b00d2a543d7ef8ac98b761f6599f926285687ac4770a810225b1081"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/activity-log.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 49738, "scanner": "repobility-threat-engine", "fingerprint": "eaf77680b574b93cdd3e75978a479807eb1dcab40559b75da1f11cc0c9d1ad38", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"access-control-allow-origin\": \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eaf77680b574b93cdd3e75978a479807eb1dcab40559b75da1f11cc0c9d1ad38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/browser-tools/tools/network-mock.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 49736, "scanner": "repobility-threat-engine", "fingerprint": "2213cfb784b3170e0ac20d94453bb35e95a0d6700871f7ce15a13686f8f909d9", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|141|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/summarize-prompt-context.cjs"}, "region": {"startLine": 141}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 49732, "scanner": "repobility-threat-engine", "fingerprint": "17cb1977c47afa17cfd00aee96a7cc75379f822cfeeb14650406d6184dc44ea7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(ignoreRegex", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|17cb1977c47afa17cfd00aee96a7cc75379f822cfeeb14650406d6184dc44ea7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/secret-scan.mjs"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 49731, "scanner": "repobility-threat-engine", "fingerprint": "f0797e7aa7f4f84d7867c4a6c54efef9f87e57f008cee7516b079058970a1a56", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f0797e7aa7f4f84d7867c4a6c54efef9f87e57f008cee7516b079058970a1a56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/modes/interactive/components/session-selector-search.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 49730, "scanner": "repobility-threat-engine", "fingerprint": "6e016f88744b23719e921bb51f26fce38280e7977acdea81f3d67caf3626f0c5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(rule", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6e016f88744b23719e921bb51f26fce38280e7977acdea81f3d67caf3626f0c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/tools/bash-interceptor.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 49729, "scanner": "repobility-threat-engine", "fingerprint": "5d3d8f5efab88c319daa6f0a67d79c777b5672c877c369667b1dddb068812312", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d3d8f5efab88c319daa6f0a67d79c777b5672c877c369667b1dddb068812312"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/think-tag-parser.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49727, "scanner": "repobility-threat-engine", "fingerprint": "cb91df524c423b4b92f8cc4ba54282d495de2ab0f885031bd515b58d2940d13e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cb91df524c423b4b92f8cc4ba54282d495de2ab0f885031bd515b58d2940d13e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/utils/oauth/google-antigravity.ts"}, "region": {"startLine": 209}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49726, "scanner": "repobility-threat-engine", "fingerprint": "a88f5cfbbc7579e7991e3106365e0deb139afb04fa02964103dd412f630b9e25", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a88f5cfbbc7579e7991e3106365e0deb139afb04fa02964103dd412f630b9e25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/azure-openai-responses.ts"}, "region": {"startLine": 129}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 49725, "scanner": "repobility-threat-engine", "fingerprint": "56fb102b0c604b8429c86c6f616848004f023b45ea7ee570c09d4f67ea46d1c7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|56fb102b0c604b8429c86c6f616848004f023b45ea7ee570c09d4f67ea46d1c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/anthropic.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 49711, "scanner": "repobility-threat-engine", "fingerprint": "0f4fe4f539f61affcdf0b90b16b815c9e826092e9d79a701bdf45a2e38594dc7", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((line) => `<div class=\"ansi-line\">${ansiToHtml(line) || \"&nbsp;\"}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0f4fe4f539f61affcdf0b90b16b815c9e826092e9d79a701bdf45a2e38594dc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/export-html/ansi-to-html.ts"}, "region": {"startLine": 257}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 49710, "scanner": "repobility-threat-engine", "fingerprint": "2faae09472dee59805da1f79967565a6e8abff362fc8dfb64988a861334bcf59", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((p) => `  ${p.id.padEnd(20)} ${p.name}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2faae09472dee59805da1f79967565a6e8abff362fc8dfb64988a861334bcf59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/cli.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 49709, "scanner": "repobility-threat-engine", "fingerprint": "fbfe04ed924e53e0e9e44ac173c80c3a25cf67ea1e9b43c5b53f8e718b252727", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((e) => `  - ${e}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fbfe04ed924e53e0e9e44ac173c80c3a25cf67ea1e9b43c5b53f8e718b252727"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/native/src/native.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 49703, "scanner": "repobility-threat-engine", "fingerprint": "7b60e25bfb121556eb7943f938b395b8ca83ea93c198ebccc20ec1709fbd3782", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.save();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7b60e25bfb121556eb7943f938b395b8ca83ea93c198ebccc20ec1709fbd3782"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/discovery-cache.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 49702, "scanner": "repobility-threat-engine", "fingerprint": "5da89c963ad78a0a78841ebd6fa043ac2002452b3d50068c9dcb4626fc203168", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "oauthProviderRegistry.delete(id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5da89c963ad78a0a78841ebd6fa043ac2002452b3d50068c9dcb4626fc203168"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/utils/oauth/index.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 49701, "scanner": "repobility-threat-engine", "fingerprint": "761aad9b15e4027573d94ef7b1aafc095e75747929b16f3563388e293c1a90d7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cache.delete(oldest.value);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|761aad9b15e4027573d94ef7b1aafc095e75747929b16f3563388e293c1a90d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/readers/paths.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 49695, "scanner": "repobility-threat-engine", "fingerprint": "9c664801bd3cd77d22d56e80505592ae33c73e4d42fded7df531c4debe9e9eaa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9c664801bd3cd77d22d56e80505592ae33c73e4d42fded7df531c4debe9e9eaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/bash-executor.ts"}, "region": {"startLine": 276}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 49694, "scanner": "repobility-threat-engine", "fingerprint": "6e10a79b13fd9ebf45c14026067bda9f71a3cf6483ef3964c8a8b10bce35434c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6e10a79b13fd9ebf45c14026067bda9f71a3cf6483ef3964c8a8b10bce35434c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/readers/roadmap.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 49693, "scanner": "repobility-threat-engine", "fingerprint": "8578a2f80d8b51d96587096aa4b05bc8d213a44e06dd5e2b77c4841ffd0e3307", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8578a2f80d8b51d96587096aa4b05bc8d213a44e06dd5e2b77c4841ffd0e3307"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/daemon/src/launchd.ts"}, "region": {"startLine": 134}}}]}, {"ruleId": "ERRH001", "level": "error", "message": {"text": "Bare except: pass \u2014 silent failure"}, "properties": {"repobilityId": 17890, "scanner": "repobility", "fingerprint": "e9656d3297cc6e6435862224aefa31b4", "category": "error_handling", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "except: pass", "aljefra_cwe": ["CWE-755"], "aljefra_owasp": null, "aljefra_pattern_slug": "bare-except-pass"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 465}}}]}, {"ruleId": "ERRH001", "level": "error", "message": {"text": "Bare except: pass \u2014 silent failure"}, "properties": {"repobilityId": 17889, "scanner": "repobility", "fingerprint": "6c7c7e632816d7be7393f666e5d7e922", "category": "error_handling", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "except: pass", "aljefra_cwe": ["CWE-755"], "aljefra_owasp": null, "aljefra_pattern_slug": "bare-except-pass"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 387}}}]}, {"ruleId": "ERRH001", "level": "error", "message": {"text": "Bare except: pass \u2014 silent failure"}, "properties": {"repobilityId": 17888, "scanner": "repobility", "fingerprint": "abb728301decf53f35ed923628721816", "category": "error_handling", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "except: pass", "aljefra_cwe": ["CWE-755"], "aljefra_owasp": null, "aljefra_pattern_slug": "bare-except-pass"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 316}}}]}, {"ruleId": "ERRH001", "level": "error", "message": {"text": "Bare except: pass \u2014 silent failure"}, "properties": {"repobilityId": 17887, "scanner": "repobility", "fingerprint": "fc9c7a81846b954d879df165a0a1a6cb", "category": "error_handling", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "except: pass", "aljefra_cwe": ["CWE-755"], "aljefra_owasp": null, "aljefra_pattern_slug": "bare-except-pass"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 242}}}]}, {"ruleId": "PATH001", "level": "error", "message": {"text": "Path traversal \u2014 user input in os.path.join"}, "properties": {"repobilityId": 15859, "scanner": "repobility", "fingerprint": "20354257076135b01b11477abbbd6cae", "category": "path_traversal", "severity": "high", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "os.path.join(\n        os.environ", "aljefra_cwe": ["CWE-22"], "aljefra_owasp": "A01:2021", "aljefra_pattern_slug": "path-traversal-os-join"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 341}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 6287, "scanner": "repobility-journey-contract", "fingerprint": "9f17371cd2c6fd4e07bf3211a168b6cc6368b0b54eccce41ffdd28a72a18900c", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|248|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/onboarding/step-authenticate.tsx"}, "region": {"startLine": 248}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 6286, "scanner": "repobility-journey-contract", "fingerprint": "0c5f7efa7a837e21bb99dabb2bbc93becba1040b80510a0aea38d1966303c3d8", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|34|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/utils/oauth/google-antigravity.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 6255, "scanner": "repobility-docker", "fingerprint": "79c614a2f0d5a363f094db330be24c755b5b35a348ab00b605beaed0de34cc88", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|79c614a2f0d5a363f094db330be24c755b5b35a348ab00b605beaed0de34cc88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.ci-builder"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 6251, "scanner": "repobility-threat-engine", "fingerprint": "38c2595eda986a3db2054597dd736abb1d7f3b5af26a261c69b1cc779c65e0a7", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|286|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/export-html/index.ts"}, "region": {"startLine": 286}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 49741, "scanner": "repobility-threat-engine", "fingerprint": "0a521d61bae03362926d857fd4c2df964ef45723532a492db635e20bd13d24fe", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0a521d61bae03362926d857fd4c2df964ef45723532a492db635e20bd13d24fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/visual-brief/prompts.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16630, "scanner": "repobility", "fingerprint": "280be7ea8f975b2cffb6271b6f9e186d", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "xoxp-abc-def-ghi", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/tests/remote-questions.test.ts"}, "region": {"startLine": 141}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16629, "scanner": "repobility", "fingerprint": "59bf628890ac171625a896e793fac332", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "xoxb-1234-5678-abcdef", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/tests/remote-questions.test.ts"}, "region": {"startLine": 137}}}]}]}]}