{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `commander` is 1 major version(s) behind (^14.0.3 -> 15.0.0)", "shortDescription": {"text": "npm package `commander` is 1 major version(s) behind (^14.0.3 -> 15.0.0)"}, "fullDescription": {"text": "`commander` is pinned/resolved at ^14.0.3 but the latest stable release on the npm registry is 15.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 29 more): Same pattern found in 29 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 10 more): Same pattern found in 10 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 38 more): Same pattern found in 38 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "A frontend journey appears to ask for consent to share identity/KYC/biometric data, but backend code does not show a consent audit model with scope, purpose, legal text version, timestamp, IP, or user-agent evidence."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC036", "name": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF ", "shortDescription": {"text": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. Real CVEs: CVE-2017-15193 (Mahara), CVE-20"}, "fullDescription": {"text": "Strip `\\r\\n` before setting headers:\n  safe = value.replace('\\r','').replace('\\n','')\n  response.headers['X-Custom'] = safe\nMost modern frameworks (Django 3+, Express 4.10+) already do this \u2014 but custom header-setting code often doesn't. Prefer framework methods (`response.set_cookie`) over manual header dict assignment."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `pnpm/action-setup` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "package.json dep `remote-helper` pulled from URL/Git", "shortDescription": {"text": "package.json dep `remote-helper` pulled from URL/Git"}, "fullDescription": {"text": "`dependencies.remote-helper` = `git+ssh://example.invalid/remote-helper.git` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "pre-commit hook `https://github.com/gitleaks/gitleaks` pinned to mutable rev `v8.21.2`", "shortDescription": {"text": "pre-commit hook `https://github.com/gitleaks/gitleaks` pinned to mutable rev `v8.21.2`"}, "fullDescription": {"text": "`.pre-commit-config.yaml` references `https://github.com/gitleaks/gitleaks` at `rev: v8.21.2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `node:22-alpine` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `node:22-alpine` not pinned by digest"}, "fullDescription": {"text": "`FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express DELETE /file/*path has no auth", "shortDescription": {"text": "Express DELETE /file/*path has no auth"}, "fullDescription": {"text": "Express route DELETE /file/*path declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "stripe-access-token", "name": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.", "shortDescription": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "jwt", "name": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.", "shortDescription": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "curl-auth-header", "name": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed r", "shortDescription": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1083"}, "properties": {"repository": "BradGroux/veritas-kanban", "repoUrl": "https://github.com/BradGroux/veritas-kanban", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 106433, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 106403, "scanner": "repobility-threat-engine", "fingerprint": "1ea0cdcb9fb8946b18215e6d6690d48d791260764325c9f9bc2484dd8b0e3661", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(`vscode://file/${task.git.worktreePath}`, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|54|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/task/git/WorktreeStatus.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 106402, "scanner": "repobility-threat-engine", "fingerprint": "3c99be20b67b3abfd261ca2246a2415759622eae685f3f7680c9f66e06ea1e92", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(result.url, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|30|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/task/git/PRDialog.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 106401, "scanner": "repobility-threat-engine", "fingerprint": "3df88c6989591c370331b244b5871139a6e05e35159c5f6c2b55144b60cd41d2", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(previewUrl, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|67|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/task/PreviewPanel.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 106393, "scanner": "repobility-threat-engine", "fingerprint": "9458ea1094f4c69a9dc3d60769cc1658f4345d5764c41c12d51d72c9d6981aa0", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|123|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/database.ts"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 106392, "scanner": "repobility-threat-engine", "fingerprint": "0739c277a42d5e47659459cef1660052135130abca3820efc170776ef8e2a102", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|73|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/chat-repository.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 106391, "scanner": "repobility-threat-engine", "fingerprint": "90f33acc2834acfa5244ab76076e002d5bd997ae6570c8be37c0865742bb0406", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|116|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/activity-repository.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 106389, "scanner": "repobility-threat-engine", "fingerprint": "972ec769d4af11b486cac00600b8e9a666d28a1b26fc1d5e10eb7e130071c9b7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ivity> {\n    const activity: Activity = {\n      id: `activity_${Date.now()}_${Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|972ec769d4af11b486cac00600b8e9a666d28a1b26fc1d5e10eb7e130071c9b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/activity-repository.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 106388, "scanner": "repobility-threat-engine", "fingerprint": "0e4f860f0152206c0507b4e58139e77781afa3b164b2082721be564866a71ae9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ivate generateId(): string {\n    return `shared_${Date.now()}_${Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0e4f860f0152206c0507b4e58139e77781afa3b164b2082721be564866a71ae9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/shared-resources-service.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 106387, "scanner": "repobility-threat-engine", "fingerprint": "f2eb5464ce25336e08fb6991e709e942cd025bd100c1deb21d77dbfc893d27e5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ivity: Activity = {\n      id: `activity_${Date.now()}_${Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f2eb5464ce25336e08fb6991e709e942cd025bd100c1deb21d77dbfc893d27e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/activity-service.ts"}, "region": {"startLine": 194}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 106381, "scanner": "repobility-threat-engine", "fingerprint": "9c7f6c12e0455d1fccc9502e12dd026147869ffb6e108d64134bd47500753d95", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9c7f6c12e0455d1fccc9502e12dd026147869ffb6e108d64134bd47500753d95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/worktree-service.ts"}, "region": {"startLine": 209}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 106380, "scanner": "repobility-threat-engine", "fingerprint": "1914465026d166be4bb2afaeb52e9dda5991ac20abc614e7d82caaae15712475", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1914465026d166be4bb2afaeb52e9dda5991ac20abc614e7d82caaae15712475"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/trace-service.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 106379, "scanner": "repobility-threat-engine", "fingerprint": "f6eef1690f2f2071616809f84f34f9ede242a4232f0051767e3fde429ddc7203", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f6eef1690f2f2071616809f84f34f9ede242a4232f0051767e3fde429ddc7203"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/chat.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 106341, "scanner": "repobility-agent-runtime", "fingerprint": "c4ad243e7d1bbc08b217c83cd70c2f19c1fbbd4d05c29195f740a22ba5de0d34", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c4ad243e7d1bbc08b217c83cd70c2f19c1fbbd4d05c29195f740a22ba5de0d34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/config-service.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 106340, "scanner": "repobility-agent-runtime", "fingerprint": "f1326f9f57f451e307f4eafedd2f2eef3fab589983d2b10578eb5a03300b7b6a", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f1326f9f57f451e307f4eafedd2f2eef3fab589983d2b10578eb5a03300b7b6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/__fixtures__/skill-security/malicious/remote-script/SKILL.md"}, "region": {"startLine": 6}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `commander` is 1 major version(s) behind (^14.0.3 -> 15.0.0)"}, "properties": {"repobilityId": 106338, "scanner": "repobility-dependency-currency", "fingerprint": "a348d3c15e460d90735b54489421f50e77c098b639e7de38990e74bb760d52fa", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "commander", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "15.0.0", "correlation_key": "fp|a348d3c15e460d90735b54489421f50e77c098b639e7de38990e74bb760d52fa", "current_version": "^14.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `concurrently` is 1 major version(s) behind (^9.1.0 -> 10.0.3)"}, "properties": {"repobilityId": 106331, "scanner": "repobility-dependency-currency", "fingerprint": "0343a04c26ac3dbc9ed09596268982b159031cb959d3229e29b3e1dc76251aa3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "concurrently", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.3", "correlation_key": "fp|0343a04c26ac3dbc9ed09596268982b159031cb959d3229e29b3e1dc76251aa3", "current_version": "^9.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@eslint/js` is 1 major version(s) behind (9.38.0 -> 10.0.1)"}, "properties": {"repobilityId": 106330, "scanner": "repobility-dependency-currency", "fingerprint": "49d03c3a565a3509e3c5521179eb68fa0fa57469f35e07d939e1ae4c203e0277", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@eslint/js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.1", "correlation_key": "fp|49d03c3a565a3509e3c5521179eb68fa0fa57469f35e07d939e1ae4c203e0277", "current_version": "9.38.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 106432, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 106431, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 106430, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 106429, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 106405, "scanner": "repobility-docker", "fingerprint": "2b17be4bf6aee2718fb5df46587c8b85f72ed91b4adad5ae176965d574679dc8", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "veritas-kanban", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2b17be4bf6aee2718fb5df46587c8b85f72ed91b4adad5ae176965d574679dc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 106404, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `chalk` is minor version(s) behind (^5.3.0 -> 5.6.2)"}, "properties": {"repobilityId": 106339, "scanner": "repobility-dependency-currency", "fingerprint": "e4d5c3f6e5208073ea4f9f6a544cab2fcc0c55e62e2d8d621ff241491b68550b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "chalk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.6.2", "correlation_key": "fp|e4d5c3f6e5208073ea4f9f6a544cab2fcc0c55e62e2d8d621ff241491b68550b", "current_version": "^5.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/react-dom` is minor version(s) behind (^19.0.0 -> 19.2.3)"}, "properties": {"repobilityId": 106337, "scanner": "repobility-dependency-currency", "fingerprint": "b29d2c853314d99250cab51ca4701f18af30e1b58365a419523e6b82dacaba70", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/react-dom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "19.2.3", "correlation_key": "fp|b29d2c853314d99250cab51ca4701f18af30e1b58365a419523e6b82dacaba70", "current_version": "^19.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/ws` is minor version(s) behind (^8.5.13 -> 8.18.1)"}, "properties": {"repobilityId": 106336, "scanner": "repobility-dependency-currency", "fingerprint": "61b584e0285e26cb4d8836facc8d878631ab87895180e9044a1a6db64ecf1df5", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/ws", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.18.1", "correlation_key": "fp|61b584e0285e26cb4d8836facc8d878631ab87895180e9044a1a6db64ecf1df5", "current_version": "^8.5.13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106275, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9f4ef61e428ce45d8647eae04857f7d159ef4897486aa7eddef674f08c801946", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/src/components/dashboard/DurationDrillDown.tsx", "duplicate_line": 6, "correlation_key": "fp|9f4ef61e428ce45d8647eae04857f7d159ef4897486aa7eddef674f08c801946"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/dashboard/TokensDrillDown.tsx"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106274, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac10276a948dfd4036224354c497ec2e27dde72eb75984dc5287891b05acd295", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/src/components/dashboard/DurationDrillDown.tsx", "duplicate_line": 8, "correlation_key": "fp|ac10276a948dfd4036224354c497ec2e27dde72eb75984dc5287891b05acd295"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/dashboard/ErrorsDrillDown.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106273, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f6f6ad7b9f0fea70b1bae6eade098472f35636a8cfdbc71985f88611fbe01714", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/src/types/config.types.ts", "duplicate_line": 347, "correlation_key": "fp|f6f6ad7b9f0fea70b1bae6eade098472f35636a8cfdbc71985f88611fbe01714"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/dashboard/DashboardPage.tsx"}, "region": {"startLine": 115}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106272, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb3fa04f04dfa8cd48f878c91b85278ffbd21cf42f4e53b0912a31ba6aeef0c8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/src/components/dashboard/Dashboard.tsx", "duplicate_line": 40, "correlation_key": "fp|eb3fa04f04dfa8cd48f878c91b85278ffbd21cf42f4e53b0912a31ba6aeef0c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/dashboard/DashboardPage.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106271, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aaf4c1c579dba3a722b4aea24058fe9a1183e0325dd9fd9cf5fc41d7d252337c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/src/types/config.types.ts", "duplicate_line": 347, "correlation_key": "fp|aaf4c1c579dba3a722b4aea24058fe9a1183e0325dd9fd9cf5fc41d7d252337c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/dashboard/Dashboard.tsx"}, "region": {"startLine": 130}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106270, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4709126a58cb5a5fffb6805a7aceb0d4bbd576c3bd5c6b71fafdbe5ced4c45f4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/src/components/auth/LoginScreen.tsx", "duplicate_line": 54, "correlation_key": "fp|4709126a58cb5a5fffb6805a7aceb0d4bbd576c3bd5c6b71fafdbe5ced4c45f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/auth/SetupScreen.tsx"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106269, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b37128977024d5e7cdbe51f9cec07ffb954bdf72d3c63789c7c24e056721236d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/middleware/auth.ts", "duplicate_line": 15, "correlation_key": "fp|b37128977024d5e7cdbe51f9cec07ffb954bdf72d3c63789c7c24e056721236d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/src/utils/api-permissions.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106268, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6e852189082bb77088785a931c9199546b9614474ab20129232765fc4fb51a45", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/types/workflow.ts", "duplicate_line": 1, "correlation_key": "fp|6e852189082bb77088785a931c9199546b9614474ab20129232765fc4fb51a45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/src/types/workflow.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106267, "scanner": "repobility-ai-code-hygiene", "fingerprint": "98376543a17a3509a659352ef41db157df74c1baa9e23d81869151b54ee61b12", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/src/types/task.types.js", "duplicate_line": 2, "correlation_key": "fp|98376543a17a3509a659352ef41db157df74c1baa9e23d81869151b54ee61b12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/src/types/task.types.ts"}, "region": {"startLine": 142}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106266, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b5e2fc852590752c6c9a7b7d48802e4bfe1e9f5793ea7c780a3804c34b70967c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/services/data-lifecycle-policy.ts", "duplicate_line": 1, "correlation_key": "fp|b5e2fc852590752c6c9a7b7d48802e4bfe1e9f5793ea7c780a3804c34b70967c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/src/types/maintenance.types.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106265, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dbad2338f4a98168c06c920d2f790fdc85a36be55a5a16d3af57f69a822fec5c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/services/work-product-service.ts", "duplicate_line": 694, "correlation_key": "fp|dbad2338f4a98168c06c920d2f790fdc85a36be55a5a16d3af57f69a822fec5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/work-product-repository.ts"}, "region": {"startLine": 277}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106264, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f540a96ad87e06c54e0e9508cda061fca6f2344499efa4fb30e25d2e8fb8fa20", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/services/telemetry-service.ts", "duplicate_line": 270, "correlation_key": "fp|f540a96ad87e06c54e0e9508cda061fca6f2344499efa4fb30e25d2e8fb8fa20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/telemetry-repository.ts"}, "region": {"startLine": 143}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106263, "scanner": "repobility-ai-code-hygiene", "fingerprint": "090772589e32a7e3a6658656eaae9fff61680d6a85664dce42f7ba48ec25f216", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/storage/sqlite/activity-repository.ts", "duplicate_line": 99, "correlation_key": "fp|090772589e32a7e3a6658656eaae9fff61680d6a85664dce42f7ba48ec25f216"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/task-repository.ts"}, "region": {"startLine": 405}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106262, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8e097899dc8a24b8ea9ff345bc6e9922a376ca48b67d121e70c92b7c3c5ac216", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/storage/sqlite/activity-repository.ts", "duplicate_line": 99, "correlation_key": "fp|8e097899dc8a24b8ea9ff345bc6e9922a376ca48b67d121e70c92b7c3c5ac216"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/status-history-repository.ts"}, "region": {"startLine": 242}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106261, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f9caf6b3eb84e768c8a2222d6dc83434c2e7c3c43813dd7fbc124b5675b36559", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/services/status-history-service.ts", "duplicate_line": 173, "correlation_key": "fp|f9caf6b3eb84e768c8a2222d6dc83434c2e7c3c43813dd7fbc124b5675b36559"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/status-history-repository.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106260, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74a67f376ad9aa063cd80fa02c0ece04863aed887730fceba2f2a2a3d42b5c0c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/storage/sqlite/activity-repository.ts", "duplicate_line": 99, "correlation_key": "fp|74a67f376ad9aa063cd80fa02c0ece04863aed887730fceba2f2a2a3d42b5c0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/prompt-registry-repository.ts"}, "region": {"startLine": 340}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106259, "scanner": "repobility-ai-code-hygiene", "fingerprint": "56518f3f29da38167cd4fdd121ab1a7911e32e5ff8ba5cdbb5376582b2230043", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/services/prompt-registry-service.ts", "duplicate_line": 168, "correlation_key": "fp|56518f3f29da38167cd4fdd121ab1a7911e32e5ff8ba5cdbb5376582b2230043"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/prompt-registry-repository.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106258, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0396316e3fccb93747dd05ecb34550ca1b4ee3d41c688d821674edecb3502c13", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/storage/sqlite/activity-repository.ts", "duplicate_line": 101, "correlation_key": "fp|0396316e3fccb93747dd05ecb34550ca1b4ee3d41c688d821674edecb3502c13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/managed-list-repository.ts"}, "region": {"startLine": 242}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106257, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99aa00fc21bba7abdb3deb869f087aa8b27a2e0a3c9656e123c05149a5d6007a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/services/prompt-registry-service.ts", "duplicate_line": 54, "correlation_key": "fp|99aa00fc21bba7abdb3deb869f087aa8b27a2e0a3c9656e123c05149a5d6007a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/template-service.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106256, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c0fb99195a561c88bc4e74b33ba57e93ddd95fef0570fa7a846fde8602a513b0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/routes/system-health.ts", "duplicate_line": 83, "correlation_key": "fp|c0fb99195a561c88bc4e74b33ba57e93ddd95fef0570fa7a846fde8602a513b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/system-health-service.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106255, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ebf4e066c55e6380eb5d4291a871517f0479f462ee2c58f43a87e8f80acd665", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/src/utils/types.ts", "duplicate_line": 4, "correlation_key": "fp|1ebf4e066c55e6380eb5d4291a871517f0479f462ee2c58f43a87e8f80acd665"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/metrics/types.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106254, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5b17d8003418121b84a0b786ac2a2537eb3e0ea7c80ddaf641c93386e2a49d99", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/services/api-token-service.ts", "duplicate_line": 253, "correlation_key": "fp|5b17d8003418121b84a0b786ac2a2537eb3e0ea7c80ddaf641c93386e2a49d99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/identity-service.ts"}, "region": {"startLine": 255}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106253, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e73ef9073625e916d798d362ea0e282e7171d79d9c3706a198e68ab620be0fe8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/middleware/auth.ts", "duplicate_line": 87, "correlation_key": "fp|e73ef9073625e916d798d362ea0e282e7171d79d9c3706a198e68ab620be0fe8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/device-session-service.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106252, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f789e93fdc9e636a83e6b4990dd119ae11686f0288272eb65fa766d8bd136196", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/services/api-token-service.ts", "duplicate_line": 24, "correlation_key": "fp|f789e93fdc9e636a83e6b4990dd119ae11686f0288272eb65fa766d8bd136196"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/device-session-service.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106251, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e0457a307f1c0600d6e9b20fd5c3a80abbc856072447e35fd6687eb384fb11e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/routes/maintenance.ts", "duplicate_line": 23, "correlation_key": "fp|e0457a307f1c0600d6e9b20fd5c3a80abbc856072447e35fd6687eb384fb11e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/skill-security.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106250, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e4454ba6629f5ebea0c9346ec8bbcfd1e97357b6dd1389a3b9d8f004cabd2859", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/routes/feedback.ts", "duplicate_line": 22, "correlation_key": "fp|e4454ba6629f5ebea0c9346ec8bbcfd1e97357b6dd1389a3b9d8f004cabd2859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/scoring.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106249, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b1da9700f5197642c0837f8012cd4cc476528ad8027e219d8a05f84ddd8c24a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/src/utils/api.ts", "duplicate_line": 1, "correlation_key": "fp|b1da9700f5197642c0837f8012cd4cc476528ad8027e219d8a05f84ddd8c24a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/utils/api.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106248, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e39c227d568bbc5219ea923183088e566681793d0a30b317cceb6ad8c51d6369", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcp/src/tools/agents.ts", "duplicate_line": 34, "correlation_key": "fp|e39c227d568bbc5219ea923183088e566681793d0a30b317cceb6ad8c51d6369"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/tools/tasks.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106247, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd376ebadfd5996942d61d5c6882fc47fe722d045ef81ac271fd8bdd742382fa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/src/commands/doctor.ts", "duplicate_line": 74, "correlation_key": "fp|bd376ebadfd5996942d61d5c6882fc47fe722d045ef81ac271fd8bdd742382fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/snapshot.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 106400, "scanner": "repobility-threat-engine", "fingerprint": "93cbe534951178666d5b4580a210cf7d90f5919f5b43a9731fa7dd1375669009", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|93cbe534951178666d5b4580a210cf7d90f5919f5b43a9731fa7dd1375669009", "aggregated_count": 15}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 106399, "scanner": "repobility-threat-engine", "fingerprint": "72864412686db34d3e3b9008439cfae28ee54a401deae32b81c4390899937d21", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|72864412686db34d3e3b9008439cfae28ee54a401deae32b81c4390899937d21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/dashboard/ActivityClock.tsx"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 106398, "scanner": "repobility-threat-engine", "fingerprint": "9390fe02ffb577ea6c75580dde8fc952d413706b0ee7022558bd1fdd7707b490", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9390fe02ffb577ea6c75580dde8fc952d413706b0ee7022558bd1fdd7707b490"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/board/BoardLoadingSkeleton.tsx"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 106397, "scanner": "repobility-threat-engine", "fingerprint": "1bb3aee6e74b0e0dffda31c056f50ab203c3e22ce391f1fc305661930d939b62", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1bb3aee6e74b0e0dffda31c056f50ab203c3e22ce391f1fc305661930d939b62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/auth/SetupScreen.tsx"}, "region": {"startLine": 179}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 106394, "scanner": "repobility-threat-engine", "fingerprint": "c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22"}}}, {"ruleId": "MINED019", "level": "none", "message": {"text": "[MINED019] Ssti Jinja From String (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 106386, "scanner": "repobility-threat-engine", "fingerprint": "2bf2b056229d937f055f8ea3d9d31f75171473ad68d09fe717b2ce187a42ffb9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2bf2b056229d937f055f8ea3d9d31f75171473ad68d09fe717b2ce187a42ffb9", "aggregated_count": 4}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 106382, "scanner": "repobility-threat-engine", "fingerprint": "2949c2702d7166dac258164d4c52ef70add92ecb6c82892fbc20aaf8046756af", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2949c2702d7166dac258164d4c52ef70add92ecb6c82892fbc20aaf8046756af"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 106378, "scanner": "repobility-threat-engine", "fingerprint": "2a90f201efe0fa0c5dec20cc574f41ea779c24e8a2731e92a392ebdb37082c00", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2a90f201efe0fa0c5dec20cc574f41ea779c24e8a2731e92a392ebdb37082c00"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 106370, "scanner": "repobility-threat-engine", "fingerprint": "c1f9b3623e439323807961f9d0553a963083bb75bcda918fdab9bd2d980331b6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c1f9b3623e439323807961f9d0553a963083bb75bcda918fdab9bd2d980331b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/vite.config.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 106369, "scanner": "repobility-threat-engine", "fingerprint": "1272c0ef2988c15958bb27153a4b2b38e7ac399a5555617d822a7a022224f951", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1272c0ef2988c15958bb27153a4b2b38e7ac399a5555617d822a7a022224f951"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/tools/projects.ts"}, "region": {"startLine": 284}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 106368, "scanner": "repobility-threat-engine", "fingerprint": "3808f6a38755825e7766258ff75e3bea14540b118dcfb7ac1f49a9562464335b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3808f6a38755825e7766258ff75e3bea14540b118dcfb7ac1f49a9562464335b", "aggregated_count": 29}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 106367, "scanner": "repobility-threat-engine", "fingerprint": "94691356f68f29f40f1540a714a4b174b84a9b10152739c5fa0568248634e710", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|94691356f68f29f40f1540a714a4b174b84a9b10152739c5fa0568248634e710"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/tools/comments.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 106366, "scanner": "repobility-threat-engine", "fingerprint": "1254bda784cc35cf3230e46bb27cfd310da1159bf10d47e3178de0339816a3e7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1254bda784cc35cf3230e46bb27cfd310da1159bf10d47e3178de0339816a3e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/tools/automation.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 106365, "scanner": "repobility-threat-engine", "fingerprint": "0a67ea58acae7fea43d633308a3b3ec13307ec776a1e687464f5a001ed94266a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0a67ea58acae7fea43d633308a3b3ec13307ec776a1e687464f5a001ed94266a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/tools/agents.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 106364, "scanner": "repobility-threat-engine", "fingerprint": "8d382f1a9011e34b41d4813c5064868da88d0861c3460c6e680d07ddd9a72035", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8d382f1a9011e34b41d4813c5064868da88d0861c3460c6e680d07ddd9a72035", "aggregated_count": 12}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 106363, "scanner": "repobility-threat-engine", "fingerprint": "bd694daa8da05016833e8c9172e949caac80fff61bde9f3bc27d62521122d183", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bd694daa8da05016833e8c9172e949caac80fff61bde9f3bc27d62521122d183"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/automation.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 106362, "scanner": "repobility-threat-engine", "fingerprint": "d75e7c4c1c78740c7ae60faa489aca626282eaee3d741a29ba91812515fb5cc5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d75e7c4c1c78740c7ae60faa489aca626282eaee3d741a29ba91812515fb5cc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/middleware/csp-nonce.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 106361, "scanner": "repobility-threat-engine", "fingerprint": "ec34a9e7491231e43cc11c8b317ae55ee4252b687a7c9d80d4a4063966c37f5f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ec34a9e7491231e43cc11c8b317ae55ee4252b687a7c9d80d4a4063966c37f5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/main/paths.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 106360, "scanner": "repobility-threat-engine", "fingerprint": "f6f843804e471d59840f839b8f69e12af32f4a47fa462d113efae075ffad52d7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f6f843804e471d59840f839b8f69e12af32f4a47fa462d113efae075ffad52d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/config/env.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 106359, "scanner": "repobility-threat-engine", "fingerprint": "eaf77a1eb0e822959fb2a2abefae87c62663eed7808edacf5deaa329a43862dd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eaf77a1eb0e822959fb2a2abefae87c62663eed7808edacf5deaa329a43862dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/main/lifecycle.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 106358, "scanner": "repobility-threat-engine", "fingerprint": "0f70dcb830f007110a79342e3f81eda77503ccc94f6c49e7c60c391ea17cb0cb", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0f70dcb830f007110a79342e3f81eda77503ccc94f6c49e7c60c391ea17cb0cb"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 106354, "scanner": "repobility-threat-engine", "fingerprint": "92a2b0b03aea7c54f1b6c2d77a733c15bcb93dfe0a952d645bbeb069d5545219", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92a2b0b03aea7c54f1b6c2d77a733c15bcb93dfe0a952d645bbeb069d5545219"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/squad-post.sh"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 106353, "scanner": "repobility-threat-engine", "fingerprint": "f6cb417f0defd2beadefd6b314cfa1e2b2868ada9337d8ca66d341b64feb410a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f6cb417f0defd2beadefd6b314cfa1e2b2868ada9337d8ca66d341b64feb410a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/squad-event.sh"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 106352, "scanner": "repobility-threat-engine", "fingerprint": "1778166a1134085a48bb4885b249864e3cc5f8a1e5356f0f4f47ebd5bdc02510", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1778166a1134085a48bb4885b249864e3cc5f8a1e5356f0f4f47ebd5bdc02510"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "demo/seed.sh"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 106351, "scanner": "repobility-threat-engine", "fingerprint": "8402d3b83d3aec6cd0f3403a0703d777fb94cd720f03129acf3018d1640724a7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8402d3b83d3aec6cd0f3403a0703d777fb94cd720f03129acf3018d1640724a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/scripts/reset-password.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 106350, "scanner": "repobility-threat-engine", "fingerprint": "6d81f4a9ddf88399baed2b642c5abf0f7f0f077203d80d9b7a26cdf97072ca4a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d81f4a9ddf88399baed2b642c5abf0f7f0f077203d80d9b7a26cdf97072ca4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/usage.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 106349, "scanner": "repobility-threat-engine", "fingerprint": "b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 106348, "scanner": "repobility-threat-engine", "fingerprint": "9dbabbf42acb85fae3e8618f7c61595582763e2086bc7b730feea9f5d53f28e4", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('[Auth] Password change failed:', err)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|web/src/hooks/useauth.tsx|13|console.error auth password change failed: err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/hooks/useAuth.tsx"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 106347, "scanner": "repobility-threat-engine", "fingerprint": "d1102a055ac32592c155365d959613bda7193a611fa80efc842e5a454635de94", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log('\\n\ud83d\udd10 Veritas Kanban - Password Reset\\n')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|2|console.log n veritas kanban - password reset n"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/scripts/reset-password.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 106346, "scanner": "repobility-threat-engine", "fingerprint": "74493183d6b79b7ce058ece711a964ceeb96debf28c630384a19e555abee6571", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(chalk.bold('\\n\ud83d\udcac Token Usage')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|cli/src/commands/usage.ts|7|console.log chalk.bold n token usage"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/usage.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "properties": {"repobilityId": 106345, "scanner": "repobility-threat-engine", "fingerprint": "f7e05db95400602aa07bd6858d34947e60f7620bb60a4e8e40ed860df7e3ec68", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 38 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f7e05db95400602aa07bd6858d34947e60f7620bb60a4e8e40ed860df7e3ec68", "aggregated_count": 38}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 106344, "scanner": "repobility-threat-engine", "fingerprint": "7be3952a136ab69410f6971ff3347c9e15e8cafb7229fb1507158be50849dbfe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7be3952a136ab69410f6971ff3347c9e15e8cafb7229fb1507158be50849dbfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/automation.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 106343, "scanner": "repobility-threat-engine", "fingerprint": "3185da135ee5bd73928c59cf2ba1425111a3b9c783e022b32a30829fce6ec89f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3185da135ee5bd73928c59cf2ba1425111a3b9c783e022b32a30829fce6ec89f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/agents.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 106342, "scanner": "repobility-threat-engine", "fingerprint": "69b78162fbe1279e45b4a0a895733ea8a2cdb6575726c12f55f0f584595f8275", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|69b78162fbe1279e45b4a0a895733ea8a2cdb6575726c12f55f0f584595f8275"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/agent-status.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@types/express` is patch version(s) behind (^5.0.0 -> 5.0.6)"}, "properties": {"repobilityId": 106335, "scanner": "repobility-dependency-currency", "fingerprint": "6a3722350c9f784bef354121d46aa6340ffbf7356fd527b4a808d45dee973e57", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/express", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.6", "correlation_key": "fp|6a3722350c9f784bef354121d46aa6340ffbf7356fd527b4a808d45dee973e57", "current_version": "^5.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@types/cors` is patch version(s) behind (^2.8.17 -> 2.8.19)"}, "properties": {"repobilityId": 106334, "scanner": "repobility-dependency-currency", "fingerprint": "e1eec41a6c4779f19e7c00d94e8142118b2e24e09f9f1846f423dfb5f9dd9ccd", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/cors", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.19", "correlation_key": "fp|e1eec41a6c4779f19e7c00d94e8142118b2e24e09f9f1846f423dfb5f9dd9ccd", "current_version": "^2.8.17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `cors` is patch version(s) behind (^2.8.5 -> 2.8.6)"}, "properties": {"repobilityId": 106333, "scanner": "repobility-dependency-currency", "fingerprint": "7e37bc4ebb5e4c48ffaae05415d4e8a5c0e2ba81f8d67ee6255093a9e7528624", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cors", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.6", "correlation_key": "fp|7e37bc4ebb5e4c48ffaae05415d4e8a5c0e2ba81f8d67ee6255093a9e7528624", "current_version": "^2.8.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `prettier` is patch version(s) behind (^3.8.2 -> 3.8.3)"}, "properties": {"repobilityId": 106332, "scanner": "repobility-dependency-currency", "fingerprint": "9ffb4702e72e96c585b4c22b6bda63029848fd6ac6d4e6d340feef8e572ee52b", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prettier", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.8.3", "correlation_key": "fp|9ffb4702e72e96c585b4c22b6bda63029848fd6ac6d4e6d340feef8e572ee52b", "current_version": "^3.8.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 106428, "scanner": "repobility-journey-contract", "fingerprint": "400a05e103d13ce70d3515746f033db9fd108ba295a9cc4b3aee7b4dbbccbd4f", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|1800|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 4}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/workflow-authoring-service.ts"}, "region": {"startLine": 1800}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 106396, "scanner": "repobility-threat-engine", "fingerprint": "66423d7f40d42a742f0379d0da945bbd887dd14c294eddd8d60412ae3e455f9a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|66423d7f40d42a742f0379d0da945bbd887dd14c294eddd8d60412ae3e455f9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/prompt-registry-repository.ts"}, "region": {"startLine": 380}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 106395, "scanner": "repobility-threat-engine", "fingerprint": "a29e844e21d5bd50c03858011575623b7dccddc0f01eceecca4d1935b6c7ab3b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(migration", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a29e844e21d5bd50c03858011575623b7dccddc0f01eceecca4d1935b6c7ab3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/database.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 106390, "scanner": "repobility-threat-engine", "fingerprint": "2f48a8db7b75a4a48fb83c2bdb4ee98ac85e98ecd7916559375e33f6398f3115", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(customPattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2f48a8db7b75a4a48fb83c2bdb4ee98ac85e98ecd7916559375e33f6398f3115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/preview-service.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 106377, "scanner": "repobility-threat-engine", "fingerprint": "783894e77a408cb2bc6c7f6520f9e6c5d900bc6858a4dd4cf0ab0976247a613f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "stream.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|783894e77a408cb2bc6c7f6520f9e6c5d900bc6858a4dd4cf0ab0976247a613f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/audit-service.ts"}, "region": {"startLine": 258}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 106376, "scanner": "repobility-threat-engine", "fingerprint": "385053db2b9e31c5e6db40776a6ac2a96eb687d824834f1d141eaa2c3e61e9d3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "contentDisposition.create(downloadName, { type: 'attachment' })", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|385053db2b9e31c5e6db40776a6ac2a96eb687d824834f1d141eaa2c3e61e9d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/attachments.ts"}, "region": {"startLine": 168}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 106375, "scanner": "repobility-threat-engine", "fingerprint": "0e19e0deaae96d46557a196bd20897b21ff0454d86639a1504d6e01c8f9ce51d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "req.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0e19e0deaae96d46557a196bd20897b21ff0454d86639a1504d6e01c8f9ce51d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/middleware/request-timeout.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC036", "level": "error", "message": {"text": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. Real CVEs: CVE-2017-15193 (Mahara), CVE-2019-11358 (Django), CVE-2020-26116 (Python http.client). CWE-93/113."}, "properties": {"repobilityId": 106374, "scanner": "repobility-threat-engine", "fingerprint": "376ec16649aa083cfc60a98e127de62c0b350eb647137a80e03d75bf81ad6676", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "res.setHeader('X-Request-ID', req", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC036", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|27|sec036"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/middleware/request-id.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 106373, "scanner": "repobility-threat-engine", "fingerprint": "2c23a43cc6b0b204a1a3dbcf064f1d6f8c8e05dcf0f346c01eed86ac9b1c3b19", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((term) => `\"${term.replace(/\"/g, '\"\"')}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2c23a43cc6b0b204a1a3dbcf064f1d6f8c8e05dcf0f346c01eed86ac9b1c3b19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/sqlite/work-product-repository.ts"}, "region": {"startLine": 403}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 106372, "scanner": "repobility-threat-engine", "fingerprint": "bf3015e7a6ab1cea66d046f46d450d74157952e278dd6d1b6d5fc4af097ebf0a", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((agent) => `Enabled profile: ${agent}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bf3015e7a6ab1cea66d046f46d450d74157952e278dd6d1b6d5fc4af097ebf0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/context-provider-health-service.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 106371, "scanner": "repobility-threat-engine", "fingerprint": "2572fe3ed46e847680ea5ac64ea103455162342b45d3b21c0f605cbb0ad795db", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((type) => `websocket:${type}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2572fe3ed46e847680ea5ac64ea103455162342b45d3b21c0f605cbb0ad795db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check-permission-coverage.mjs"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 106357, "scanner": "repobility-threat-engine", "fingerprint": "c251368cb0b6c2132cf5a6978a3dd63cb765916b07ca30916a5d25809bd68cdd", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c251368cb0b6c2132cf5a6978a3dd63cb765916b07ca30916a5d25809bd68cdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/main/index.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 106356, "scanner": "repobility-threat-engine", "fingerprint": "a151f8c72fcbf8b4aa4991ae996b22bbe3677eddc271444d6bad5eb4ad10d539", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a151f8c72fcbf8b4aa4991ae996b22bbe3677eddc271444d6bad5eb4ad10d539"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/main/deep-links.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 106355, "scanner": "repobility-threat-engine", "fingerprint": "6a5a1ed5c4bf37811211d8676b779a4f0ebb4cb4f6bbc5dff03c3fd6654faa47", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6a5a1ed5c4bf37811211d8676b779a4f0ebb4cb4f6bbc5dff03c3fd6654faa47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/main/bridge.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106329, "scanner": "repobility-supply-chain", "fingerprint": "60f49d6413da1bf04c1efe9c1242283ede46a81917bc8f0b9732e5a660057923", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|60f49d6413da1bf04c1efe9c1242283ede46a81917bc8f0b9732e5a660057923"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-artifacts.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106328, "scanner": "repobility-supply-chain", "fingerprint": "469cc2aa90f84a032a351523de637419ff6bbcd9e43886544e92a8519681ede9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|469cc2aa90f84a032a351523de637419ff6bbcd9e43886544e92a8519681ede9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-artifacts.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106327, "scanner": "repobility-supply-chain", "fingerprint": "72587373732eb43c90e958d29b965d8ca6266c66533b529bfc05a142b12ff107", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|72587373732eb43c90e958d29b965d8ca6266c66533b529bfc05a142b12ff107"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106326, "scanner": "repobility-supply-chain", "fingerprint": "33b9f33da05cc668211199bbb54f4cda72680bd0b8a2e1701c25eceada60cd91", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33b9f33da05cc668211199bbb54f4cda72680bd0b8a2e1701c25eceada60cd91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106325, "scanner": "repobility-supply-chain", "fingerprint": "8accb944833604fd3bdd1979d67a197b1bf11aa52f523d46c2e9aa042f4ddc2a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8accb944833604fd3bdd1979d67a197b1bf11aa52f523d46c2e9aa042f4ddc2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106324, "scanner": "repobility-supply-chain", "fingerprint": "4b8d96aafd0a8154450f8684828b5461fa39b162755fdcff45f9cf34e6021aab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b8d96aafd0a8154450f8684828b5461fa39b162755fdcff45f9cf34e6021aab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106323, "scanner": "repobility-supply-chain", "fingerprint": "40ec7a48fabd963173a15d2d735821a7fe023038a18343f960fd44c5b989f381", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40ec7a48fabd963173a15d2d735821a7fe023038a18343f960fd44c5b989f381"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106322, "scanner": "repobility-supply-chain", "fingerprint": "7d209a7580aad88ad0bc6aedcc120fec5f3d3021329bc6cb89be8bb80e7fffdf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d209a7580aad88ad0bc6aedcc120fec5f3d3021329bc6cb89be8bb80e7fffdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106321, "scanner": "repobility-supply-chain", "fingerprint": "0f2858d54de4f58eeeeda44e6cc5a611d8c1410e8cf1b0c56508c70be58d847e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f2858d54de4f58eeeeda44e6cc5a611d8c1410e8cf1b0c56508c70be58d847e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106320, "scanner": "repobility-supply-chain", "fingerprint": "8fdcbfe1fe31b14b67dc9fd796fd1268106eedae71ee7c1cbdbbcdc7e256b443", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8fdcbfe1fe31b14b67dc9fd796fd1268106eedae71ee7c1cbdbbcdc7e256b443"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106319, "scanner": "repobility-supply-chain", "fingerprint": "1dc9c784bf831cb1acf2710f8d9b9e54d76b068a49b70d5fe98a84082d849cb0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1dc9c784bf831cb1acf2710f8d9b9e54d76b068a49b70d5fe98a84082d849cb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106318, "scanner": "repobility-supply-chain", "fingerprint": "ab648c19d211198b4f44469138ab36b75e5a692e0205577cddbd001c6ed4be4d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab648c19d211198b4f44469138ab36b75e5a692e0205577cddbd001c6ed4be4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106317, "scanner": "repobility-supply-chain", "fingerprint": "58a7443fa974eb5539e999013cdc91456dadb9daafe43a4b415960d45870e14f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58a7443fa974eb5539e999013cdc91456dadb9daafe43a4b415960d45870e14f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106316, "scanner": "repobility-supply-chain", "fingerprint": "665587d048efb2b474c5740b622d202349aa821e08cae2407db1f7bbbcddb1af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|665587d048efb2b474c5740b622d202349aa821e08cae2407db1f7bbbcddb1af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106315, "scanner": "repobility-supply-chain", "fingerprint": "e51318b97cc1c25c918b2bc5e0d94453f622530b1fa76b50aa80244a9bbf4694", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e51318b97cc1c25c918b2bc5e0d94453f622530b1fa76b50aa80244a9bbf4694"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-release.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106314, "scanner": "repobility-supply-chain", "fingerprint": "85e8ccc7d239047cc2f3d348987d669762fb34b5c1704c10d48f52839d6bb6f9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|85e8ccc7d239047cc2f3d348987d669762fb34b5c1704c10d48f52839d6bb6f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-release.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106313, "scanner": "repobility-supply-chain", "fingerprint": "40db28678878e86fa6ecc0563cacf63206bea56097db9c0eb26a72cb4eb6fefa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40db28678878e86fa6ecc0563cacf63206bea56097db9c0eb26a72cb4eb6fefa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/desktop-release.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 106312, "scanner": "repobility-supply-chain", "fingerprint": "6e860fe768a8916acbd39a5a17f841c168036f53d964c002b03e0e77de835212", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e860fe768a8916acbd39a5a17f841c168036f53d964c002b03e0e77de835212"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scheduled-qa.yml"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106311, "scanner": "repobility-supply-chain", "fingerprint": "3d396db13f89abf610d58f4014ac73d5a1609ffef85ea73fbf3def5822de96d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d396db13f89abf610d58f4014ac73d5a1609ffef85ea73fbf3def5822de96d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scheduled-qa.yml"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106310, "scanner": "repobility-supply-chain", "fingerprint": "6ae9d365a88de55d9fdb45c5c06665b4c04a44eb5e35a45cce83f559fd533d02", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ae9d365a88de55d9fdb45c5c06665b4c04a44eb5e35a45cce83f559fd533d02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scheduled-qa.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106309, "scanner": "repobility-supply-chain", "fingerprint": "fdc4ff43146fbe0fa713fb4e43fef6731040cf157fc14d1ed16c5f4f00cde84a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fdc4ff43146fbe0fa713fb4e43fef6731040cf157fc14d1ed16c5f4f00cde84a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scheduled-qa.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 106308, "scanner": "repobility-supply-chain", "fingerprint": "2e5ebf54adb3e2735fe7207062bb77d387cbc89d5341e3215d2b025c448037e1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e5ebf54adb3e2735fe7207062bb77d387cbc89d5341e3215d2b025c448037e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scheduled-qa.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106307, "scanner": "repobility-supply-chain", "fingerprint": "a554f6f5778248daf40a3ed432c15cfb73b431600826158b674af4cfa2a681b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a554f6f5778248daf40a3ed432c15cfb73b431600826158b674af4cfa2a681b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scheduled-qa.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106306, "scanner": "repobility-supply-chain", "fingerprint": "22c789686f3a29dc044b3fbf4329330216dcb44ef9427f27e217c793d4cec86e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|22c789686f3a29dc044b3fbf4329330216dcb44ef9427f27e217c793d4cec86e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scheduled-qa.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 106305, "scanner": "repobility-supply-chain", "fingerprint": "0cf2d2cff9257f2f9c3f8605211daa7d5d781ebdfd8a7fcd1f42157e65cdf311", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0cf2d2cff9257f2f9c3f8605211daa7d5d781ebdfd8a7fcd1f42157e65cdf311"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scheduled-qa.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `remote-helper` pulled from URL/Git"}, "properties": {"repobilityId": 106304, "scanner": "repobility-supply-chain", "fingerprint": "07e83704305b6f488d935f833fd6972d467ab689ad9f852b9b40c61ba95325e2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07e83704305b6f488d935f833fd6972d467ab689ad9f852b9b40c61ba95325e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/__fixtures__/skill-security/malicious/unpinned-dependency/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/gitleaks/gitleaks` pinned to mutable rev `v8.21.2`"}, "properties": {"repobilityId": 106303, "scanner": "repobility-supply-chain", "fingerprint": "08105006f33c7180f4d7e0d4af246678618691826f28446fe4c3c9e8050b0eef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|08105006f33c7180f4d7e0d4af246678618691826f28446fe4c3c9e8050b0eef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-alpine` not pinned by digest"}, "properties": {"repobilityId": 106302, "scanner": "repobility-supply-chain", "fingerprint": "736a8c5a9ab3c2fc076cf419436a78d01c0a3a70813b3407eeecc7f9f76fc997", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|736a8c5a9ab3c2fc076cf419436a78d01c0a3a70813b3407eeecc7f9f76fc997"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-alpine` not pinned by digest"}, "properties": {"repobilityId": 106301, "scanner": "repobility-supply-chain", "fingerprint": "149d058049303ec63c0f8a9af1a97c28002189e958963c58a95055f72a9400c9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|149d058049303ec63c0f8a9af1a97c28002189e958963c58a95055f72a9400c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /file/*path has no auth"}, "properties": {"repobilityId": 106300, "scanner": "repobility-route-auth", "fingerprint": "59f4f904514e1909f825d7587518843f2265a29fd72de6c72bdb0ea86539f1ca", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|59f4f904514e1909f825d7587518843f2265a29fd72de6c72bdb0ea86539f1ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/docs.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /file/*path has no auth"}, "properties": {"repobilityId": 106299, "scanner": "repobility-route-auth", "fingerprint": "bba143e285c5fd1e2de1e5b4ce38fb5d721148c812cf783c1fc225fafc4907a2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|bba143e285c5fd1e2de1e5b4ce38fb5d721148c812cf783c1fc225fafc4907a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/docs.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PATCH /:id/subtasks/:subtaskId/criteria/:index has no auth"}, "properties": {"repobilityId": 106298, "scanner": "repobility-route-auth", "fingerprint": "224fa1788ee9befcec830747d0f3bdfd67d14812633dfee73d1e806526638c90", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|224fa1788ee9befcec830747d0f3bdfd67d14812633dfee73d1e806526638c90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/task-subtasks.ts"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /:id/subtasks/:subtaskId has no auth"}, "properties": {"repobilityId": 106297, "scanner": "repobility-route-auth", "fingerprint": "f5d88f74d66a25c58288122c53e854dd2bf85a3ef63c83853f94680114443185", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f5d88f74d66a25c58288122c53e854dd2bf85a3ef63c83853f94680114443185"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/task-subtasks.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PATCH /:id/subtasks/:subtaskId has no auth"}, "properties": {"repobilityId": 106296, "scanner": "repobility-route-auth", "fingerprint": "5dea8879d94230cd8c47e71f38b11695a80dc03fcfa4a937361d266909dd7d49", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5dea8879d94230cd8c47e71f38b11695a80dc03fcfa4a937361d266909dd7d49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/task-subtasks.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /:id/subtasks has no auth"}, "properties": {"repobilityId": 106295, "scanner": "repobility-route-auth", "fingerprint": "2c00d3dacd1fca82fa317481ca4735a0a5389ae7257e2d5531f83a49cd64785c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2c00d3dacd1fca82fa317481ca4735a0a5389ae7257e2d5531f83a49cd64785c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/task-subtasks.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /predict has no auth"}, "properties": {"repobilityId": 106294, "scanner": "repobility-route-auth", "fingerprint": "d948d6adb321e5610643d0eeadca2a2da294c6681fbe52234f085e7b3f097a78", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d948d6adb321e5610643d0eeadca2a2da294c6681fbe52234f085e7b3f097a78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/cost-prediction.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /change-password has no auth"}, "properties": {"repobilityId": 106293, "scanner": "repobility-route-auth", "fingerprint": "e8aa2e2d840c848b7f0f45cac09b1937ab4a02766fcc8d41f35e872013d48f70", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e8aa2e2d840c848b7f0f45cac09b1937ab4a02766fcc8d41f35e872013d48f70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/auth.ts"}, "region": {"startLine": 692}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /recover has no auth"}, "properties": {"repobilityId": 106292, "scanner": "repobility-route-auth", "fingerprint": "0583330264482182302d239967ef9b449785f7a0415bd2890f5e4c01bbc6673f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0583330264482182302d239967ef9b449785f7a0415bd2890f5e4c01bbc6673f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/auth.ts"}, "region": {"startLine": 607}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /logout has no auth"}, "properties": {"repobilityId": 106291, "scanner": "repobility-route-auth", "fingerprint": "016546df33b69c62a7524de5ca9bc14931b2522ed7760c642c034cff72b922cd", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|016546df33b69c62a7524de5ca9bc14931b2522ed7760c642c034cff72b922cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/auth.ts"}, "region": {"startLine": 583}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /login has no auth"}, "properties": {"repobilityId": 106290, "scanner": "repobility-route-auth", "fingerprint": "ce8937b69d53fb464ab0c1dc8c85efcc0e38168b5bcd42db632fab65e36e272e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ce8937b69d53fb464ab0c1dc8c85efcc0e38168b5bcd42db632fab65e36e272e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/auth.ts"}, "region": {"startLine": 480}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /invitations/accept has no auth"}, "properties": {"repobilityId": 106289, "scanner": "repobility-route-auth", "fingerprint": "a4971f62d13cecf44e97eb79fce24a88f6b658b01914332781cfdab424a3ff7e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a4971f62d13cecf44e97eb79fce24a88f6b658b01914332781cfdab424a3ff7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/auth.ts"}, "region": {"startLine": 410}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /setup has no auth"}, "properties": {"repobilityId": 106288, "scanner": "repobility-route-auth", "fingerprint": "b6db75ad47a650fd0039d95ca93bba5370d6af06a41431ccf5d74a8715d7f6ed", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b6db75ad47a650fd0039d95ca93bba5370d6af06a41431ccf5d74a8715d7f6ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/auth.ts"}, "region": {"startLine": 336}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /pairing/redeem has no auth"}, "properties": {"repobilityId": 106287, "scanner": "repobility-route-auth", "fingerprint": "80061c37f691a22fbaa79732fa25d16a9614182341421a9e80d5bdf41454791c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|80061c37f691a22fbaa79732fa25d16a9614182341421a9e80d5bdf41454791c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/auth.ts"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /device-pairing/exchange has no auth"}, "properties": {"repobilityId": 106286, "scanner": "repobility-route-auth", "fingerprint": "feb46bce5d25fb56aa1d138cec2c6eee702ac02dcc130d5d6f338a3140731055", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|feb46bce5d25fb56aa1d138cec2c6eee702ac02dcc130d5d6f338a3140731055"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/auth.ts"}, "region": {"startLine": 256}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /:id/runs has no auth"}, "properties": {"repobilityId": 106285, "scanner": "repobility-route-auth", "fingerprint": "e192ff86d872d047a890f69b319ec43100f2dcb4df07afd1c83f7c6857ee5264", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e192ff86d872d047a890f69b319ec43100f2dcb4df07afd1c83f7c6857ee5264"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/scheduled-deliverables.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /:id has no auth"}, "properties": {"repobilityId": 106284, "scanner": "repobility-route-auth", "fingerprint": "44d99169687a7e66339e68ae66a130ed4854d341c35d3a017af2edae28484e87", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|44d99169687a7e66339e68ae66a130ed4854d341c35d3a017af2edae28484e87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/scheduled-deliverables.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PATCH /:id has no auth"}, "properties": {"repobilityId": 106283, "scanner": "repobility-route-auth", "fingerprint": "ba7a81d644bbd7cf084364635610afd4020201951a49c8d54f289b7c4ba91e28", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ba7a81d644bbd7cf084364635610afd4020201951a49c8d54f289b7c4ba91e28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/scheduled-deliverables.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 106282, "scanner": "repobility-route-auth", "fingerprint": "0477aead67b7f668bbc4bb66bc2ebfa25c0b290ae76ca69bf7e74b57f06e0614", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0477aead67b7f668bbc4bb66bc2ebfa25c0b290ae76ca69bf7e74b57f06e0614"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/scheduled-deliverables.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /default-agent has no auth"}, "properties": {"repobilityId": 106281, "scanner": "repobility-route-auth", "fingerprint": "c2704baa31fa2779ffe7d6aff45733ac3bf7e1d789d4fb05f8f81c79e6a2c758", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|c2704baa31fa2779ffe7d6aff45733ac3bf7e1d789d4fb05f8f81c79e6a2c758"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/config.ts"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /agents has no auth"}, "properties": {"repobilityId": 106280, "scanner": "repobility-route-auth", "fingerprint": "5788e98662e77eb4d0d250e31c524948ca99060ec1ee1bbd9c9c49cd26989cb1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5788e98662e77eb4d0d250e31c524948ca99060ec1ee1bbd9c9c49cd26989cb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/config.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /repos/validate has no auth"}, "properties": {"repobilityId": 106279, "scanner": "repobility-route-auth", "fingerprint": "f57c9ef5fcee7d2cec2ae04dec47b4cb3ec5363286e86df3a07a9b0ee1cb667d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f57c9ef5fcee7d2cec2ae04dec47b4cb3ec5363286e86df3a07a9b0ee1cb667d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/config.ts"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /repos/:name has no auth"}, "properties": {"repobilityId": 106278, "scanner": "repobility-route-auth", "fingerprint": "14d17a91aa85a7f7bb1b7ccd2cd30bd018541da0d62edb016d036c717e3a22a5", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|14d17a91aa85a7f7bb1b7ccd2cd30bd018541da0d62edb016d036c717e3a22a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/config.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PATCH /repos/:name has no auth"}, "properties": {"repobilityId": 106277, "scanner": "repobility-route-auth", "fingerprint": "6afaa99542816146cb581fc5f13c0093f8cc836989367e0c91abccdc2280c945", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6afaa99542816146cb581fc5f13c0093f8cc836989367e0c91abccdc2280c945"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/config.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /repos has no auth"}, "properties": {"repobilityId": 106276, "scanner": "repobility-route-auth", "fingerprint": "7d3aa6aa9bdc3bae55498eb67ae26088e0b0a8a8f205e67ca07a8487c47fb04e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7d3aa6aa9bdc3bae55498eb67ae26088e0b0a8a8f205e67ca07a8487c47fb04e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/config.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106427, "scanner": "gitleaks", "fingerprint": "2081c8a62a64ceb7a6d66111a0c7bdf76b277d97caa720bf4ac1f7478a335511", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "tokenPrefix: 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|12|tokenprefix: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/__tests__/multi-user-tab.test.tsx"}, "region": {"startLine": 123}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106426, "scanner": "gitleaks", "fingerprint": "758c2c4298f433442b0c547f0a5188723963fed851a62e56412c8bc6a1cf6f46", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token\": \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|docs/api-reference.md|67|token : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/API-REFERENCE.md"}, "region": {"startLine": 671}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106425, "scanner": "gitleaks", "fingerprint": "b1d98306137daa24df18ae73b401ef12698664230723c6a2ea2611d0e8cedc5d", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "jwtSecret: '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|7|jwtsecret: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/__tests__/routes/auth.test.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106424, "scanner": "gitleaks", "fingerprint": "19a17c8c755e08868b3b300d1754dca3e382f5c24e852b0ce2db596c5733beca", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "securityConfig.jwtSecret || 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|2|securityconfig.jwtsecret redacted", "duplicate_count": 1, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["19a17c8c755e08868b3b300d1754dca3e382f5c24e852b0ce2db596c5733beca", "df15b50c3ebefc19b97dc936acce1c3a498a9d29594acc07a6dd10e2376970a6"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/__tests__/routes/auth.test.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 106423, "scanner": "gitleaks", "fingerprint": "65a4bcb46e304615411ec806113318a6f8ccf63b2528419896703ec3c10f1e9b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED'", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|token|6|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/__tests__/skill-capability-service.test.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 106422, "scanner": "gitleaks", "fingerprint": "eabcf1c75542ede1bd0e2dc92c6f9f05e098c8e148d795c0373c0855450e7548", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED'", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|token|3|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/__tests__/log-redaction.test.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 106421, "scanner": "gitleaks", "fingerprint": "f6a64eb34dd2586da2a522f162a9936f000d0213bac1b95a38415098b969cf69", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED'", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|token|1|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/__tests__/log-redaction.test.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 106420, "scanner": "gitleaks", "fingerprint": "e656abd4de13f174b5c3311efa6d56a6bd0f92155a45d9f04e82d0ba84eff31c", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -H \"X-API-Key: <redacted>\"", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|server/.env.example|12|curl -h x-api-key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/.env.example"}, "region": {"startLine": 125}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 106419, "scanner": "gitleaks", "fingerprint": "b4d71f0b55e9948238466460e02134c7e36bae3c3a6a43afc1f674e885c48ced", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -H \"Authorization: Bearer <redacted>\"", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|server/.env.example|12|curl -h authorization: bearer redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/.env.example"}, "region": {"startLine": 122}}}]}, {"ruleId": "stripe-access-token", "level": "error", "message": {"text": "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."}, "properties": {"repobilityId": 106418, "scanner": "gitleaks", "fingerprint": "f1c64aeab1c479ea1414b240cdb93bcfd31959a2e90e7fd799886379913ec529", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED'", "rule_id": "stripe-access-token", "scanner": "gitleaks", "detector": "stripe-access-token", "correlation_key": "secret|token|2|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["stripe-access-token"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["0766d433c7ada86e39f9f4330376f766d0ed96be131c336563a7b000621c2dcf", "f1c64aeab1c479ea1414b240cdb93bcfd31959a2e90e7fd799886379913ec529"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/__tests__/governance-trace-service.test.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 106417, "scanner": "gitleaks", "fingerprint": "c2b6c9ed4a62bc4cf284268378475dc14923abbf71c950c50cd0ad3fb38b07ba", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -X POST http://localhost:3001/api/chat/squad \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Bearer <redacted>\"", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|token|77|curl -x post token -h content-type: application/json -h authorization: bearer redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/features/prd-driven-development.md"}, "region": {"startLine": 775}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 106416, "scanner": "gitleaks", "fingerprint": "a9df81f1d37b9817756722f64b134bd4d9a0f3128b9aeeb552804d1f6406f0e6", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -X POST http://localhost:3001/api/templates \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Bearer <redacted>\"", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|token|9|curl -x post token -h content-type: application/json -h authorization: bearer redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/features/prd-driven-development.md"}, "region": {"startLine": 95}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 106415, "scanner": "gitleaks", "fingerprint": "e6f2126fb852e0e399716034d11bf9a0425771f329a7076a4be84260ffb2d734", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -H \"X-API-Key: <redacted>\"", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|docs/security.md|5|curl -h x-api-key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/security.md"}, "region": {"startLine": 58}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 106414, "scanner": "gitleaks", "fingerprint": "21999af952d6d2d4b4911aa0a929cd7239740991c873cd35878f8b90b9c4287b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -H \"Authorization: Bearer <redacted>\"", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|docs/security.md|5|curl -h authorization: bearer redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/security.md"}, "region": {"startLine": 51}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 106413, "scanner": "gitleaks", "fingerprint": "d473b65d876244af3e8f8d35e2684abf5ade7ea16fb2156340855bbe49310162", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -s -X POST \"$API_BASE/tasks\" \\\n      -H \"Content-Type: application/json\" \\\n      -H \"X-API-Key: <redacted>\"", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|seed-demo-data.sh|4|curl -s -x post api_base/tasks -h content-type: application/json -h x-api-key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed-demo-data.sh"}, "region": {"startLine": 45}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 106412, "scanner": "gitleaks", "fingerprint": "be83198967f3513e09519fc41bb5f53b5169630d8bcfae370f7839596dde8b7a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl http://localhost:3001/health\n# \u2192 {\"status\":\"ok\",\"timestamp\":\"...\"}\n```\n\nAuth diagnostics (requires admin key):\n\n```bash\ncurl -H \"X-API-Key: <redacted>\"", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|docs/guides/self_host.md|72|curl token # status : ok timestamp : ... auth diagnostics requires admin key : bash curl -h x-api-key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/guides/SELF_HOST.md"}, "region": {"startLine": 729}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 106411, "scanner": "gitleaks", "fingerprint": "2fe022ff00b05fcf6e2a495232125c74fc6a2658a7907f3ea456df5120fd1c06", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -H \"X-API-Key: <redacted>\"", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|docs/troubleshooting.md|20|curl -h x-api-key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/TROUBLESHOOTING.md"}, "region": {"startLine": 210}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 106410, "scanner": "gitleaks", "fingerprint": "a0776a2695e6cc1b279acb74e100b1ceb4e0e3ba4cfc2ed028c0eb9db4dd6965", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -H \"Authorization: Bearer <redacted>\"", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|docs/troubleshooting.md|20|curl -h authorization: bearer redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/TROUBLESHOOTING.md"}, "region": {"startLine": 207}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 106409, "scanner": "gitleaks", "fingerprint": "e6d570ebe688968ba9ae19396d2dbca984062fbbaa786ef86da13a933c55e8dc", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -H \"X-API-Key: <redacted>\"", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|docs/troubleshooting.md|17|curl -h x-api-key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/TROUBLESHOOTING.md"}, "region": {"startLine": 179}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106408, "scanner": "gitleaks", "fingerprint": "8efb1a6213f0ee287224c6ed787368624e5698dbf12af8eedcc5889d7bebcd73", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "api_key\": \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|docs/api-workflows.md|134|api_key : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/API-WORKFLOWS.md"}, "region": {"startLine": 1343}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 106407, "scanner": "gitleaks", "fingerprint": "83a86398895d6750c08dd12b8a4aba020866cf6dc6bb154ad0e6e748f8d6c16e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -H \"X-API-Key: <redacted>\"", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|docs/deployment.md|78|curl -h x-api-key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/DEPLOYMENT.md"}, "region": {"startLine": 790}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 106406, "scanner": "gitleaks", "fingerprint": "478773ae6ff1e396a99a98368f34817d3727e60a1ce9c3e5b63d1eb8cad1e5d4", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "VK_API_KEY: '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|21|vk_api_key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/__tests__/snapshot.test.ts"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 106385, "scanner": "repobility-threat-engine", "fingerprint": "086d04ad2c47d2a4bdf3cec85f1ba5984ce5493d0f71e781d1e6377d4b9996c1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|086d04ad2c47d2a4bdf3cec85f1ba5984ce5493d0f71e781d1e6377d4b9996c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/template-service.ts"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 106384, "scanner": "repobility-threat-engine", "fingerprint": "92af10999496af13d19a5fd39bfda465ca75f4eed7abdd4a4eb761bf8e1604fd", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92af10999496af13d19a5fd39bfda465ca75f4eed7abdd4a4eb761bf8e1604fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/templates.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 106383, "scanner": "repobility-threat-engine", "fingerprint": "ed72c455a328fdb49f403cee242e34123ca39512c3f8bc8b277aeec2a332edfe", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ed72c455a328fdb49f403cee242e34123ca39512c3f8bc8b277aeec2a332edfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/prompt-registry.ts"}, "region": {"startLine": 81}}}]}]}]}