{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `3. \u72b6\u6001\u680f\u5728 kickoff \u65f6\u9ed8\u8ba4 `[ ]`\uff0c\u5b8c\u6210\u540e\u5728 quality-gate \u9636\u6bb5\u6539\u4e3a `[x]`\u3002` has no version pin: Unpinned pip ", "shortDescription": {"text": "[MINED124] requirements.txt: `3. \u72b6\u6001\u680f\u5728 kickoff \u65f6\u9ed8\u8ba4 `[ ]`\uff0c\u5b8c\u6210\u540e\u5728 quality-gate \u9636\u6bb5\u6539\u4e3a `[x]`\u3002` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typo"}, "fullDescription": {"text": "Replace `3. \u72b6\u6001\u680f\u5728 kickoff \u65f6\u9ed8\u8ba4 `[ ]`\uff0c\u5b8c\u6210\u540e\u5728 quality-gate \u9636\u6bb5\u6539\u4e3a `[x]`\u3002` with `3. \u72b6\u6001\u680f\u5728 kickoff \u65f6\u9ed8\u8ba4 `[ ]`\uff0c\u5b8c\u6210\u540e\u5728 quality-gate \u9636\u6bb5\u6539\u4e3a `[x]`\u3002==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Parse only usage metadata by default. Redact prompts, tool arguments, file paths, and message content before storage, telemetry, export, screenshots, or support bundles."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `transcribe` has cognitive complexity 9 (SonarSource scale). Cognitive com", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `transcribe` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 9."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 56 more): Same pattern found in 56 additional files", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 56 more): Same pattern found in 56 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED024] Js Eval Usage (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED065] Cors Wildcard (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 62 more): Same pattern found in 62 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 62 more): Same pattern found in 62 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 76 more): Same pattern found in 76 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 76 more): Same pattern found in 76 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 67 more): Same pattern found in 67 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 67 more): Same pattern found in 67 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 11 more): Same pattern found in 11 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 31 more): Same pattern found in 31 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 56 more): Same pattern found in 56 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 56 more): Same pattern found in 56 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at ", "shortDescription": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compro"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-artifact@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `eslint-plugin-cafe` pulled from URL/Git: `devDependencies.eslint-plugin-cafe` = `file:eslin", "shortDescription": {"text": "[MINED122] package.json dep `eslint-plugin-cafe` pulled from URL/Git: `devDependencies.eslint-plugin-cafe` = `file:eslint-plugins` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or gi"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /api/backlog/import-active-features has no auth: Express route POST /api/backlog/import-active-f", "shortDescription": {"text": "[MINED113] Express POST /api/backlog/import-active-features has no auth: Express route POST /api/backlog/import-active-features declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthe"}, "fullDescription": {"text": "Add an auth middleware: app.post('/api/backlog/import-active-features', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST /v1/embeddings has no auth: Handler `create_embeddings` is registered with router/app.post(...) ", "shortDescription": {"text": "[MINED112] FastAPI POST /v1/embeddings has no auth: Handler `create_embeddings` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._ensure_loaded` used but never assigned in __init__: Method `synthesize` of class `PiperAdapter` reads ", "shortDescription": {"text": "[MINED108] `self._ensure_loaded` used but never assigned in __init__: Method `synthesize` of class `PiperAdapter` reads `self._ensure_loaded`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeEr"}, "fullDescription": {"text": "Initialize `self._ensure_loaded = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1243"}, "properties": {"repository": "zts212653/clowder-ai", "repoUrl": "https://github.com/zts212653/clowder-ai", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `3. \u72b6\u6001\u680f\u5728 kickoff \u65f6\u9ed8\u8ba4 `[ ]`\uff0c\u5b8c\u6210\u540e\u5728 quality-gate \u9636\u6bb5\u6539\u4e3a `[x]`\u3002` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 125343, "scanner": "repobility-supply-chain", "fingerprint": "ed4ff2e7439aa74ed1662b290576cde054291f16c5ab53344fbd73b93df9de7e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed4ff2e7439aa74ed1662b290576cde054291f16c5ab53344fbd73b93df9de7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/refs/requirements-checklist-template.md"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `2. \u201c\u9a8c\u8bc1\u65b9\u5f0f\u201d\u5fc5\u987b\u53ef\u6267\u884c\uff1a\u6d4b\u8bd5\u540d/\u622a\u56fe/\u5f55\u5c4f/\u4eba\u5de5\u6b65\u9aa4\u81f3\u5c11\u4e00\u79cd\u3002` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 125342, "scanner": "repobility-supply-chain", "fingerprint": "1afc72f191d51eaacae33d4cbe54749a545bf4197b847e5b15637883fe53192e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1afc72f191d51eaacae33d4cbe54749a545bf4197b847e5b15637883fe53192e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/refs/requirements-checklist-template.md"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `1. \u201c\u9700\u6c42\u70b9\u201d\u4f18\u5148\u7528\u94f2\u5c4e\u5b98\u539f\u8bdd\uff0c\u5fc5\u8981\u65f6\u53ef\u8865\u4e00\u53e5\u5de5\u7a0b\u5316\u8f6c\u8ff0\u3002` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 125341, "scanner": "repobility-supply-chain", "fingerprint": "80aceb29f777ed5f365f52b56b096b11745bfbd13809c6b8862ebd4a1641981e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|80aceb29f777ed5f365f52b56b096b11745bfbd13809c6b8862ebd4a1641981e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/refs/requirements-checklist-template.md"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: ````` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 125340, "scanner": "repobility-supply-chain", "fingerprint": "3ee270b324d21a39b3353d484e47416f6bdf0c09b664510029121735bc0724c8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ee270b324d21a39b3353d484e47416f6bdf0c09b664510029121735bc0724c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/refs/requirements-checklist-template.md"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `| R3 | \u201c...\u201d | AC-3 | test / screenshot / manual | [ ] |` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 125339, "scanner": "repobility-supply-chain", "fingerprint": "85b4aad244d20b1453f477d746b42b01f87c7fa1bdb9e559b23f62671581f926", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|85b4aad244d20b1453f477d746b42b01f87c7fa1bdb9e559b23f62671581f926"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/refs/requirements-checklist-template.md"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `| R2 | \u201c...\u201d | AC-2 | test / screenshot / manual | [ ] |` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 125338, "scanner": "repobility-supply-chain", "fingerprint": "c4e3e436ad0b626d8319244d389cd8ce6be756069d534be42d8f5008b3c8a335", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4e3e436ad0b626d8319244d389cd8ce6be756069d534be42d8f5008b3c8a335"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/refs/requirements-checklist-template.md"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `| R1 | \u201c...\u201d | AC-1 | test / screenshot / manual | [ ] |` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 125337, "scanner": "repobility-supply-chain", "fingerprint": "ab57bec925134c49dea980d05a6ec35fa4e24c349fe928f12b9d2442deaf57c0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab57bec925134c49dea980d05a6ec35fa4e24c349fe928f12b9d2442deaf57c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/refs/requirements-checklist-template.md"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `|----|---------------------------|---------|----------|------|` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 125336, "scanner": "repobility-supply-chain", "fingerprint": "62f9d994579b98110537920922d1efeb1a22d726abf40b631ec98503bea60ec6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62f9d994579b98110537920922d1efeb1a22d726abf40b631ec98503bea60ec6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/refs/requirements-checklist-template.md"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `| ID | \u9700\u6c42\u70b9\uff08\u94f2\u5c4e\u5b98\u539f\u8bdd/\u8f6c\u8ff0\uff09 | AC \u7f16\u53f7 | \u9a8c\u8bc1\u65b9\u5f0f | \u72b6\u6001 |` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 125335, "scanner": "repobility-supply-chain", "fingerprint": "764584df0b0bf9a0e3869734fa794a6edc07c7b32df30c0d50fb9bd204ae25a5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|764584df0b0bf9a0e3869734fa794a6edc07c7b32df30c0d50fb9bd204ae25a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/refs/requirements-checklist-template.md"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: ````markdown` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 125334, "scanner": "repobility-supply-chain", "fingerprint": "fa03e7e00159840fb04a7c355f7bae055c54bf47c0e8decd300ca5e2f9f93bb3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa03e7e00159840fb04a7c355f7bae055c54bf47c0e8decd300ca5e2f9f93bb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/refs/requirements-checklist-template.md"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `> \u7528\u9014\uff1a\u5728 kickoff/spec \u9636\u6bb5\u628a\u9700\u6c42\u70b9\u7ed3\u6784\u5316\uff0c\u907f\u514d AC \u6f0f\u9879\u3002` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 125333, "scanner": "repobility-supply-chain", "fingerprint": "17ba469e3ab12073346281c1d71fa4de7a21621e6086837047f4a4686e94da37", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|17ba469e3ab12073346281c1d71fa4de7a21621e6086837047f4a4686e94da37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/refs/requirements-checklist-template.md"}, "region": {"startLine": 3}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 125295, "scanner": "repobility-agent-runtime", "fingerprint": "52c0c6a467e7171bc77351139577c38c11232cef88a76d38eca27932087b9f2d", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|52c0c6a467e7171bc77351139577c38c11232cef88a76d38eca27932087b9f2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/codex-session-context-snapshot.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 125294, "scanner": "repobility-agent-runtime", "fingerprint": "ff4b912e543f5944ad4d7c86d92ef1e0ac1347b29a3e5261de836215995b86db", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ff4b912e543f5944ad4d7c86d92ef1e0ac1347b29a3e5261de836215995b86db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/JobEventConsumer.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 125293, "scanner": "repobility-agent-runtime", "fingerprint": "48e64e6cee5d2204156c65a2e2fa95eb532a0d8f7274933a397736341d295398", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|48e64e6cee5d2204156c65a2e2fa95eb532a0d8f7274933a397736341d295398"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/service-manager.js"}, "region": {"startLine": 186}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 125264, "scanner": "repobility-threat-engine", "fingerprint": "1f839c59fc8093046e7f48e2b0bd9bffffc55f40823c0ce24ec3019b4cdfab30", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1f839c59fc8093046e7f48e2b0bd9bffffc55f40823c0ce24ec3019b4cdfab30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/whisper-api.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 125246, "scanner": "repobility-threat-engine", "fingerprint": "f57b3a6c5b4895404465b1141c7d87827fb6261cfa01d7d1644f6fe01962fe5c", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "Exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|204|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/tools/shell-tools.ts"}, "region": {"startLine": 204}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 125241, "scanner": "repobility-threat-engine", "fingerprint": "79bef3083e3362d2892cbbb9e77cc43499aabfe6c5ddf45fe7835ed26deb6dbe", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "nonce = Math.random", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|236|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/callback-bootcamp-routes.ts"}, "region": {"startLine": 236}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 125234, "scanner": "repobility-threat-engine", "fingerprint": "100fb4e4dc57ce0ea45ce3eadf592f2c036227f9601377ea189a5af5ff8c6df0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "nonce = Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|100fb4e4dc57ce0ea45ce3eadf592f2c036227f9601377ea189a5af5ff8c6df0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/callback-bootcamp-routes.ts"}, "region": {"startLine": 236}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 125233, "scanner": "repobility-threat-engine", "fingerprint": "18de2d4a34908ae7b5b738dba396d83294208581b2e7c3bfacae81d3f4b4bd90", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Token: <redacted> Record<string, string> {\n  const uin = Buffer.from(String(Math.floor(Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|18de2d4a34908ae7b5b738dba396d83294208581b2e7c3bfacae81d3f4b4bd90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/infrastructure/connectors/adapters/weixin-cdn.ts"}, "region": {"startLine": 220}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 125208, "scanner": "repobility-threat-engine", "fingerprint": "243db15652d6f17b5dd58b57b778f7e947d53493c4fe1ad6ef41d33de98b7ed3", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|243db15652d6f17b5dd58b57b778f7e947d53493c4fe1ad6ef41d33de98b7ed3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/game/GameNarratorDriver.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 125207, "scanner": "repobility-threat-engine", "fingerprint": "a3ed7648b02ae69dfe057986a8e13a2d55b812392c8b607e2c39fe515e5d469c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a3ed7648b02ae69dfe057986a8e13a2d55b812392c8b607e2c39fe515e5d469c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/antigravity/executors/McpToolExecutor.ts"}, "region": {"startLine": 207}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 125206, "scanner": "repobility-threat-engine", "fingerprint": "d69eac536b695e65749edc96eacc026e659a560ac410c6467285893e88477db0", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d69eac536b695e65749edc96eacc026e659a560ac410c6467285893e88477db0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/acp/AcpProcessPool.ts"}, "region": {"startLine": 195}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 125184, "scanner": "repobility-threat-engine", "fingerprint": "40404e94c99d1e649e5961ae6fe995d30bfc64efe87a9ae4db06e587157cd506", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|114|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/routing/final-routing-slot.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 125183, "scanner": "repobility-threat-engine", "fingerprint": "1381ac6314ebd1b57855fc416688d2f0d1214ca0ebb4cb91f2afcbb6e45b67c5", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|25|sec045", "duplicate_count": 1, "duplicate_rule_ids": ["SEC045"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["1381ac6314ebd1b57855fc416688d2f0d1214ca0ebb4cb91f2afcbb6e45b67c5", "22236c9c098898b342d65adf86a32ee6bf70502d14bc72fc938b375eab236de8"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/writing-skills/render-graphs.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125292, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b5e332cb7ed3a81405531dc314fc48aa0dd09e2263ff1253cdded0a45333d9ca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/memory/SummaryCompactionTask.ts", "duplicate_line": 55, "correlation_key": "fp|b5e332cb7ed3a81405531dc314fc48aa0dd09e2263ff1253cdded0a45333d9ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/memory/SummaryCompactionTaskSpec.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125291, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a62ff48504b237febe5b109fb090171370d71ce991eeb8f363f4f93d5625e2b3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/memory/BindingDryRun.ts", "duplicate_line": 6, "correlation_key": "fp|a62ff48504b237febe5b109fb090171370d71ce991eeb8f363f4f93d5625e2b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/memory/GenericRepoScanner.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125290, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aab5750d70a2387ca894fdf3e727d9d4c578f704870bb10d9e401b799b97d056", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/memory/FlatScanner.ts", "duplicate_line": 4, "correlation_key": "fp|aab5750d70a2387ca894fdf3e727d9d4c578f704870bb10d9e401b799b97d056"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/memory/GenericRepoScanner.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125289, "scanner": "repobility-ai-code-hygiene", "fingerprint": "090707f20ac8eb6e4ed1838199e90b90f53efead1b10638888d19dfbb84378f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/memory/CatCafeScanner.ts", "duplicate_line": 329, "correlation_key": "fp|090707f20ac8eb6e4ed1838199e90b90f53efead1b10638888d19dfbb84378f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/memory/FlatScanner.ts"}, "region": {"startLine": 133}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125288, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a5ec5154ffa3192d0f8ba7285e71ed8de52b6b327192977399acb3f1712048b1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/memory/BindingDryRun.ts", "duplicate_line": 6, "correlation_key": "fp|a5ec5154ffa3192d0f8ba7285e71ed8de52b6b327192977399acb3f1712048b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/memory/FlatScanner.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125287, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b9538126ddc8ec142cc87ef952eb981a541f8428e2e3e7f1757326ba0472e48e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/stores/ports/TaskStore.ts", "duplicate_line": 58, "correlation_key": "fp|b9538126ddc8ec142cc87ef952eb981a541f8428e2e3e7f1757326ba0472e48e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/stores/redis/RedisTaskStore.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125286, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b58ab7bd3bfe9057206bd78cedc436b95b9813336f77e96619a396153afff927", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/stores/ports/ProposalStore.ts", "duplicate_line": 53, "correlation_key": "fp|b58ab7bd3bfe9057206bd78cedc436b95b9813336f77e96619a396153afff927"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/stores/redis/RedisProposalStore.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125285, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ed9402471f0841ca8685dbb17cc5d21cbe9f37d66521303239e9c7de670b7cb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/stores/redis/RedisInvocationRecordStore.ts", "duplicate_line": 277, "correlation_key": "fp|4ed9402471f0841ca8685dbb17cc5d21cbe9f37d66521303239e9c7de670b7cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/stores/redis/RedisMessageStore.ts"}, "region": {"startLine": 195}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125284, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ced7c8e9bd84c53af5742750f8fbe2a9cddea1fdf4a17b4da5371690cc703f7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/stores/memory/InMemoryCommunityIssueStore.ts", "duplicate_line": 13, "correlation_key": "fp|9ced7c8e9bd84c53af5742750f8fbe2a9cddea1fdf4a17b4da5371690cc703f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/stores/redis/RedisCommunityIssueStore.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125283, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e818e6406eb5cf1208dd7b462acc6782ca00777b05566afd64ddc9b0995e7891", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/stores/ports/BacklogStore.ts", "duplicate_line": 80, "correlation_key": "fp|e818e6406eb5cf1208dd7b462acc6782ca00777b05566afd64ddc9b0995e7891"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/stores/redis/RedisBacklogStore.ts"}, "region": {"startLine": 279}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125282, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0876eba33ee89a29ed744ed19a23325888065772af885cf0342fbe6b27d47326", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/stores/ports/AuthorizationRuleStore.ts", "duplicate_line": 44, "correlation_key": "fp|0876eba33ee89a29ed744ed19a23325888065772af885cf0342fbe6b27d47326"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/stores/redis/RedisAuthorizationRuleStore.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125281, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e679087becf3dbcd184cb4273f986d51a4b7e62253b4229e60bf66b63f5b0b38", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/runtime-session/ExternalRuntimeSessionRegistration.ts", "duplicate_line": 531, "correlation_key": "fp|e679087becf3dbcd184cb4273f986d51a4b7e62253b4229e60bf66b63f5b0b38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/runtime-session/RuntimeSessionMetadata.ts"}, "region": {"startLine": 258}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125280, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d66f4027ebc9e251906d4c69b30951838323ba597b27d01619789f4123c04813", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/agents/providers/antigravity/antigravity-runtime-lifecycle.ts", "duplicate_line": 52, "correlation_key": "fp|d66f4027ebc9e251906d4c69b30951838323ba597b27d01619789f4123c04813"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/runtime-session/RuntimeSessionMetadata.ts"}, "region": {"startLine": 256}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125279, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b9e41ee5ebaf06b5b6b1cebf5a19890f8b84040953b64a346aba692f99fd5608", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/agents/providers/antigravity/antigravity-runtime-lifecycle.ts", "duplicate_line": 52, "correlation_key": "fp|b9e41ee5ebaf06b5b6b1cebf5a19890f8b84040953b64a346aba692f99fd5608"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/runtime-session/ExternalRuntimeSessionRegistration.ts"}, "region": {"startLine": 529}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125278, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ffaf4738c50da342cc087f7eff1b38df2b68a6d0e8e54270738867404f4189d4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/agents/routing/a2a-mentions.ts", "duplicate_line": 130, "correlation_key": "fp|ffaf4738c50da342cc087f7eff1b38df2b68a6d0e8e54270738867404f4189d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/routing/a2a-shadow-detection.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125277, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e1ce6cf7829a184069d16b67dbb5315d068947f6daa35022b9160d12560251b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/agents/providers/codex-session-context-snapshot.ts", "duplicate_line": 70, "correlation_key": "fp|4e1ce6cf7829a184069d16b67dbb5315d068947f6daa35022b9160d12560251b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/kimi-config.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125276, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac3b71035b817a68dee52c3ce2dba75c10ec1758bdf933f1b0c95cb074fc9a38", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/agents/providers/antigravity/executors/IdeReadToolExecutor.ts", "duplicate_line": 210, "correlation_key": "fp|ac3b71035b817a68dee52c3ce2dba75c10ec1758bdf933f1b0c95cb074fc9a38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/catagent/catagent-read-tools.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125275, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1d6c9c34be80a3d038b3c23c2bdd0c5ecfad32b7314dbfea2e37af30df865fc7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/agents/providers/antigravity/executors/McpToolExecutor.ts", "duplicate_line": 237, "correlation_key": "fp|1d6c9c34be80a3d038b3c23c2bdd0c5ecfad32b7314dbfea2e37af30df865fc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/antigravity/executors/RunCommandExecutor.ts"}, "region": {"startLine": 192}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125274, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a0eb0a72b427fd68296c795f3cabfe3851711089c3948ea58c78c6e3a2dfd5bd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/agents/providers/CodexAgentService.ts", "duplicate_line": 700, "correlation_key": "fp|a0eb0a72b427fd68296c795f3cabfe3851711089c3948ea58c78c6e3a2dfd5bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/OpenCodeAgentService.ts"}, "region": {"startLine": 260}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125273, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e9b2f6d50171e6f3bd2481f5209eecb4c233adf5dfa5eac0cc643b8aac8dee6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/agents/providers/DareAgentService.ts", "duplicate_line": 149, "correlation_key": "fp|4e9b2f6d50171e6f3bd2481f5209eecb4c233adf5dfa5eac0cc643b8aac8dee6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/OpenCodeAgentService.ts"}, "region": {"startLine": 193}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125272, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a45eb87936937c4795dddee4bc54f60c2cf9d794e240fe1fa3c9fcd14f936af3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/agents/providers/ClaudeAgentService.ts", "duplicate_line": 326, "correlation_key": "fp|a45eb87936937c4795dddee4bc54f60c2cf9d794e240fe1fa3c9fcd14f936af3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/OpenCodeAgentService.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125271, "scanner": "repobility-ai-code-hygiene", "fingerprint": "37312245feddf861bb296669b986447b839bf078c6337caff55879da425e6bb8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/agents/providers/ClaudeAgentService.ts", "duplicate_line": 264, "correlation_key": "fp|37312245feddf861bb296669b986447b839bf078c6337caff55879da425e6bb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/KimiAgentService.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125270, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2f1bc3eddf6ab9ac96a4f9538e1a80dd3ddcbcc091a97e55e024b6f1f3a05447", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/agents/providers/CodexAgentService.ts", "duplicate_line": 699, "correlation_key": "fp|2f1bc3eddf6ab9ac96a4f9538e1a80dd3ddcbcc091a97e55e024b6f1f3a05447"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/DareAgentService.ts"}, "region": {"startLine": 174}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125269, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8cdc943fa0f50f1d29492132cbbec9ba00b004f17807e016bae59b48b009c10b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/agents/providers/ClaudeAgentService.ts", "duplicate_line": 375, "correlation_key": "fp|8cdc943fa0f50f1d29492132cbbec9ba00b004f17807e016bae59b48b009c10b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/DareAgentService.ts"}, "region": {"startLine": 113}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125268, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a375020c0d77be90fd697c6243be6bb97310c9bb3c2aa3544edfc7ca4441b6d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/domains/cats/services/agents/providers/ClaudeAgentService.ts", "duplicate_line": 374, "correlation_key": "fp|7a375020c0d77be90fd697c6243be6bb97310c9bb3c2aa3544edfc7ca4441b6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/CodexAgentService.ts"}, "region": {"startLine": 499}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 125267, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3c35e2c45b3ea89a4021a2e91a0da51ef253bb2ed2ec04dc641b684c21cd0304", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/api/src/config/governance/governance-bootstrap.ts", "duplicate_line": 136, "correlation_key": "fp|3c35e2c45b3ea89a4021a2e91a0da51ef253bb2ed2ec04dc641b684c21cd0304"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/config/governance/skills-state.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 125266, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": ["AGENTS.md", "CLAUDE.md", "GEMINI.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AGENTS.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `transcribe` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, except=1, if=4, or=1, ternary=2."}, "properties": {"repobilityId": 125265, "scanner": "repobility-threat-engine", "fingerprint": "6f23cb2bfb1852bffbf447143bcb8c5490203492e271510b42d68526bf34a872", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "transcribe", "breakdown": {"if": 4, "or": 1, "else": 1, "except": 1, "ternary": 2}, "complexity": 9, "correlation_key": "fp|6f23cb2bfb1852bffbf447143bcb8c5490203492e271510b42d68526bf34a872"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/whisper-api.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 125254, "scanner": "repobility-threat-engine", "fingerprint": "a62e8d30a099f4c826846be2d08531381e6080c585ca545acfad7af7053134ec", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML =\n        '<pre style=\"color:#e53;font-size:var(--preview-font-xs);white-space:pre-wrap\">", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|186|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/workspace/JsxPreview.tsx"}, "region": {"startLine": 186}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 125253, "scanner": "repobility-threat-engine", "fingerprint": "b8956b10b5e991a0cde1b9bbc50f376aa4f11ada1004f32ec4d5a327b244e7e2", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = e", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|171|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/guide-overlay/GuideOverlayHUD.tsx"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 125263, "scanner": "repobility-threat-engine", "fingerprint": "379cc30cbbbae188ab683d5fa3ed86bd71641e154993b29d2c0f36eb1af4313a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|379cc30cbbbae188ab683d5fa3ed86bd71641e154993b29d2c0f36eb1af4313a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/whisper-api.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 125261, "scanner": "repobility-threat-engine", "fingerprint": "730b1589c4f2247c418c07abe6148c0d5e0675ca7893ae9724d1903c622663e6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|730b1589c4f2247c418c07abe6148c0d5e0675ca7893ae9724d1903c622663e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/qwen3-asr-api.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 125260, "scanner": "repobility-threat-engine", "fingerprint": "ba3d16933d54ae8ba0f2248addaebb0df2cd2fafc7ae42f089b165d931295012", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "print(f'[hf-download diag]   {_k}={os.environ.get(_k, \\\"<unset>\\\")", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|20|print f hf-download diag _k os.environ.get _k unset"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/install-template.sh"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 125259, "scanner": "repobility-threat-engine", "fingerprint": "a6cf7dc46c6dc65e86820e522d7b9c00015cf799cbe345f9821b2aa6d5930fcc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6cf7dc46c6dc65e86820e522d7b9c00015cf799cbe345f9821b2aa6d5930fcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/tts-install.sh"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 125258, "scanner": "repobility-threat-engine", "fingerprint": "369d52ef374830d10db2ba7d099958c8fd27d60d2a6bfa7696a7ba614a9975d7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|369d52ef374830d10db2ba7d099958c8fd27d60d2a6bfa7696a7ba614a9975d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/install-template.sh"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 125257, "scanner": "repobility-threat-engine", "fingerprint": "5ebd4c6fd6bea8113738b927d3c5f0baf382ed598114cd020d2ceaa2658d9753", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5ebd4c6fd6bea8113738b927d3c5f0baf382ed598114cd020d2ceaa2658d9753"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/init-cafe.sh"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 125256, "scanner": "repobility-threat-engine", "fingerprint": "7b8668391dfb714ee693573a7e84bf7091023ab68bea31751488f621802627ca", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|41|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/hooks/useSendMessage.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 125255, "scanner": "repobility-threat-engine", "fingerprint": "25c0f9865755b81572e350d6d97192c1a4dac5fbf177748e6d198048f561c577", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|25c0f9865755b81572e350d6d97192c1a4dac5fbf177748e6d198048f561c577"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/hub-accounts.sections.tsx"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 125252, "scanner": "repobility-threat-engine", "fingerprint": "d6c0a0cef72eb79ac41508a0a5bafbd570fb97a5ddbe5e3dd9cf17bed0c5bda9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d6c0a0cef72eb79ac41508a0a5bafbd570fb97a5ddbe5e3dd9cf17bed0c5bda9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/MermaidDiagram.tsx"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 125251, "scanner": "repobility-threat-engine", "fingerprint": "f34ad899a6c238467ec0aae4772ada02d47fd63a4ca9d3b0af45df081726a3e0", "category": "security", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\"noopener\"|\\'noopener\\'' detected on same line", "evidence": {"match": "window.open(src, '_blank', 'noopener')", "reason": "Safe pattern '\"noopener\"|\\'noopener\\'' detected on same line", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|security|token|33|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/ConnectorBubble.tsx"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 125250, "scanner": "repobility-threat-engine", "fingerprint": "75dd086491e9b36224fb12dfd6f6eb12d18c15a32a16e17ebd717dabe9219893", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|75dd086491e9b36224fb12dfd6f6eb12d18c15a32a16e17ebd717dabe9219893", "aggregated_count": 16}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 125249, "scanner": "repobility-threat-engine", "fingerprint": "a8786235ecbf2b3167b8ab0fd186e039acd0f19b3d05c178b349453a88d02ee3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a8786235ecbf2b3167b8ab0fd186e039acd0f19b3d05c178b349453a88d02ee3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/ConnectorBubble.tsx"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 125248, "scanner": "repobility-threat-engine", "fingerprint": "b4bb6ab96cf529ba1e69862caef8dcff269561b48247b7e79161098b8edaf5e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b4bb6ab96cf529ba1e69862caef8dcff269561b48247b7e79161098b8edaf5e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/app/story-export/page.tsx"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 125247, "scanner": "repobility-threat-engine", "fingerprint": "653bae93989876a7020370fe643ccb37f4f037d260f871d2c6ad630c9ad83954", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|653bae93989876a7020370fe643ccb37f4f037d260f871d2c6ad630c9ad83954"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/app/story-export/grep-hippocampus/page.tsx"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 56 more): Same pattern found in 56 additional files. Review if needed."}, "properties": {"repobilityId": 125240, "scanner": "repobility-threat-engine", "fingerprint": "cdafe19e11a54fbedd7884a918c21d70c3e8cffae58968e1201c0242d7ae8a5b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 56 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 56 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|cdafe19e11a54fbedd7884a918c21d70c3e8cffae58968e1201c0242d7ae8a5b"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 125232, "scanner": "repobility-threat-engine", "fingerprint": "72c90369be21728533f055eef517329745297ab9aeeadd5518f07dee4add4229", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|72c90369be21728533f055eef517329745297ab9aeeadd5518f07dee4add4229"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/preview/preview-gateway.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 125231, "scanner": "repobility-threat-engine", "fingerprint": "5b272a6ddeaec107389be1a3241f91dec13a8604c4d71b211d5d8437d98aeb88", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5b272a6ddeaec107389be1a3241f91dec13a8604c4d71b211d5d8437d98aeb88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/memory/SecretScanner.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 125230, "scanner": "repobility-threat-engine", "fingerprint": "814505ea9c56c1cdf3329a6624808f8471bdb2072be6a6109dd09cedc8ec8c7b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|814505ea9c56c1cdf3329a6624808f8471bdb2072be6a6109dd09cedc8ec8c7b"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 125225, "scanner": "repobility-threat-engine", "fingerprint": "14320fa2039dcbbb922b3b65963d48014a7c3a786d91238b72c64156d4671b0e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|14320fa2039dcbbb922b3b65963d48014a7c3a786d91238b72c64156d4671b0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/hooks/useGuideEngine.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 125224, "scanner": "repobility-threat-engine", "fingerprint": "0ef4e2b78958674935d2f1e4c003a42ce1ff88ba709af1fd80bc097601b55c61", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0ef4e2b78958674935d2f1e4c003a42ce1ff88ba709af1fd80bc097601b55c61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/services/ImageExporter.ts"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 125223, "scanner": "repobility-threat-engine", "fingerprint": "e0e37912e8a7b1610d4a68a0e40af1e345de496727464048aa562dee6b155c43", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0e37912e8a7b1610d4a68a0e40af1e345de496727464048aa562dee6b155c43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/stores/redis/RedisCommunityIssueStore.ts"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED024", "level": "none", "message": {"text": "[MINED024] Js Eval Usage (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 125222, "scanner": "repobility-threat-engine", "fingerprint": "f7e26c3ad16acd7682b8cea9f38712147ab9a3a3f02126659a2814adce55e053", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f7e26c3ad16acd7682b8cea9f38712147ab9a3a3f02126659a2814adce55e053", "aggregated_count": 7}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 125218, "scanner": "repobility-threat-engine", "fingerprint": "eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "aggregated_count": 8}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 125217, "scanner": "repobility-threat-engine", "fingerprint": "a6466e4e5ea1ff11936eaaf715455c7e21e8e3ecd521997d415a831f410858c7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6466e4e5ea1ff11936eaaf715455c7e21e8e3ecd521997d415a831f410858c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/packs/PackLoader.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 125216, "scanner": "repobility-threat-engine", "fingerprint": "4020c015e6be7fa7cbdcc313d20154b5a5d61af15e15d80090bdadfcbcb11a6d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4020c015e6be7fa7cbdcc313d20154b5a5d61af15e15d80090bdadfcbcb11a6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/push/PushNotificationService.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 125215, "scanner": "repobility-threat-engine", "fingerprint": "8f2d67838b20ccb57d79cb2ecd1aa1a3a6fc6c727f3cdd12395366b443ca873a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8f2d67838b20ccb57d79cb2ecd1aa1a3a6fc6c727f3cdd12395366b443ca873a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/image-paths.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 125209, "scanner": "repobility-threat-engine", "fingerprint": "91f56c48193978c72526e79cabfe5a715bfe46a03300621a985ad2f0dd419972", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|91f56c48193978c72526e79cabfe5a715bfe46a03300621a985ad2f0dd419972"}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 125205, "scanner": "repobility-threat-engine", "fingerprint": "5b220fbbcc5595f790c3c8a72a3eb99e3ab75cd2a6fa3d88c2a598ac73068a2d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5b220fbbcc5595f790c3c8a72a3eb99e3ab75cd2a6fa3d88c2a598ac73068a2d", "aggregated_count": 2}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 125204, "scanner": "repobility-threat-engine", "fingerprint": "cb645470ef2dabfdd54c47c5e0a305466ba0c8745a430530d4aab84aa83ccae4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cb645470ef2dabfdd54c47c5e0a305466ba0c8745a430530d4aab84aa83ccae4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/infrastructure/security-headers.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 125203, "scanner": "repobility-threat-engine", "fingerprint": "6913e48952fe55ad41bd7822f15f0459eb9a7dce70fe0e7bb74a1beed0e98df8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6913e48952fe55ad41bd7822f15f0459eb9a7dce70fe0e7bb74a1beed0e98df8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/preview/preview-gateway.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 125202, "scanner": "repobility-threat-engine", "fingerprint": "7ae1f9d633bb8ff78f675a4b424b8703f343edaa9ac5a5cbc46419481ce12003", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7ae1f9d633bb8ff78f675a4b424b8703f343edaa9ac5a5cbc46419481ce12003"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/config/frontend-origin.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 62 more): Same pattern found in 62 additional files. Review if needed."}, "properties": {"repobilityId": 125201, "scanner": "repobility-threat-engine", "fingerprint": "26fdbbcc745d89d93e305f1057b57b71e5011cd0c7ed2eec67d1d0dbe7f62813", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 62 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|26fdbbcc745d89d93e305f1057b57b71e5011cd0c7ed2eec67d1d0dbe7f62813", "aggregated_count": 62}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 125200, "scanner": "repobility-threat-engine", "fingerprint": "69644a76e85b2a62899a45eb8fd38860785bffcab895922ac42649512403d203", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|69644a76e85b2a62899a45eb8fd38860785bffcab895922ac42649512403d203"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/config/credentials.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 125199, "scanner": "repobility-threat-engine", "fingerprint": "a07da80bb8af663fde361b86ad1899d4e88fcb4b54a75bc3d8b82feed02998e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a07da80bb8af663fde361b86ad1899d4e88fcb4b54a75bc3d8b82feed02998e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/config/cat-catalog-store.ts"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 125198, "scanner": "repobility-threat-engine", "fingerprint": "03f169d8be440afdd0051bc15f6c8b37535ea4ea1489d43b538ca74b5d1ad0a8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|03f169d8be440afdd0051bc15f6c8b37535ea4ea1489d43b538ca74b5d1ad0a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/config/capabilities/capability-install.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 76 more): Same pattern found in 76 additional files. Review if needed."}, "properties": {"repobilityId": 125197, "scanner": "repobility-threat-engine", "fingerprint": "c3fcb55b150c4f44dc419d1292fb0afe8d4e58492eb9d529b234b4148f940ad8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 76 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 76 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c3fcb55b150c4f44dc419d1292fb0afe8d4e58492eb9d529b234b4148f940ad8"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 67 more): Same pattern found in 67 additional files. Review if needed."}, "properties": {"repobilityId": 125193, "scanner": "repobility-threat-engine", "fingerprint": "be0451cdbe68538262abfea953221bec5a2f7dd8ec6b9ee13ae630d79aa26c8f", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 67 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 67 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|be0451cdbe68538262abfea953221bec5a2f7dd8ec6b9ee13ae630d79aa26c8f"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 125189, "scanner": "repobility-threat-engine", "fingerprint": "4707ff94c641e1a24252b51d475a328e654d88b051f1ff3d287ea4e85b926297", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4707ff94c641e1a24252b51d475a328e654d88b051f1ff3d287ea4e85b926297"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "properties": {"repobilityId": 125185, "scanner": "repobility-threat-engine", "fingerprint": "662d7a28733ccd0b5a18b94cce15b3626802fe2dc3bf96aec9b99ba6379a69a5", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|662d7a28733ccd0b5a18b94cce15b3626802fe2dc3bf96aec9b99ba6379a69a5"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 125182, "scanner": "repobility-threat-engine", "fingerprint": "84fa3e3e389004a50d9aedc2150cbc21c4b1964419fb7820e629c030fb0f595e", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|84fa3e3e389004a50d9aedc2150cbc21c4b1964419fb7820e629c030fb0f595e"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 56 more): Same pattern found in 56 additional files. Review if needed."}, "properties": {"repobilityId": 125178, "scanner": "repobility-threat-engine", "fingerprint": "78494aa986c648210d42db5a24bd28877556aa3b06807cc2d0caba8a169d4749", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 56 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|78494aa986c648210d42db5a24bd28877556aa3b06807cc2d0caba8a169d4749", "aggregated_count": 56}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 125177, "scanner": "repobility-threat-engine", "fingerprint": "ea7c06d433db294ea3cd2278208612d686e37306c02a1e8c39bd77505042fe5b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea7c06d433db294ea3cd2278208612d686e37306c02a1e8c39bd77505042fe5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/afterPack.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 125176, "scanner": "repobility-threat-engine", "fingerprint": "573853c9570ec9b37c1d6a048c3a5eb990ad81d04aae34b38a758c842a7579cd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|573853c9570ec9b37c1d6a048c3a5eb990ad81d04aae34b38a758c842a7579cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/writing-skills/render-graphs.js"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 125175, "scanner": "repobility-threat-engine", "fingerprint": "22d8db9d74f8248820f5374897f200beecbb11b223ef047431d77ec9b91e56ce", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|22d8db9d74f8248820f5374897f200beecbb11b223ef047431d77ec9b91e56ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/ttfund-skills/scripts/ttfund-call.mjs"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125367, "scanner": "repobility-supply-chain", "fingerprint": "d1fc1af3d3168cde69f7eaf35d89b9fb2f33c460193838406c15101d360b5283", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d1fc1af3d3168cde69f7eaf35d89b9fb2f33c460193838406c15101d360b5283"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-mac-dmg.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2`: `uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125366, "scanner": "repobility-supply-chain", "fingerprint": "1027524bae1ae5ae0a5532e18ae4ae61357a341c6c06a2b1f5815f527c589e1b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1027524bae1ae5ae0a5532e18ae4ae61357a341c6c06a2b1f5815f527c589e1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-mac-dmg.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125365, "scanner": "repobility-supply-chain", "fingerprint": "99f9dd3ecafb6f60af4ff61a7b29ac038c10c7b8740a8166ef3d6f74b15fce3f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99f9dd3ecafb6f60af4ff61a7b29ac038c10c7b8740a8166ef3d6f74b15fce3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-mac-dmg.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125364, "scanner": "repobility-supply-chain", "fingerprint": "ef9e6b996742f6a3902b15dd5075f46bac80a82b98e3f79336757f1cb6135cd4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef9e6b996742f6a3902b15dd5075f46bac80a82b98e3f79336757f1cb6135cd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-mac-dmg.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125363, "scanner": "repobility-supply-chain", "fingerprint": "e69713a3dc7c6ad91ca84e7d53ae1d8f180737436652962813e946511d7a8d5c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e69713a3dc7c6ad91ca84e7d53ae1d8f180737436652962813e946511d7a8d5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-mac-dmg.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125362, "scanner": "repobility-supply-chain", "fingerprint": "6a5e04ed1a953ba36103b84c0089154373ef72b93f9ba37473b2f952c9761049", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a5e04ed1a953ba36103b84c0089154373ef72b93f9ba37473b2f952c9761049"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125361, "scanner": "repobility-supply-chain", "fingerprint": "c2012c030a4a64a074fa34cbf11caffad8a2826d352f737fbadd1a451a62e7be", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c2012c030a4a64a074fa34cbf11caffad8a2826d352f737fbadd1a451a62e7be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125360, "scanner": "repobility-supply-chain", "fingerprint": "58842b3c9a462872a7b407d2c9d8a60fa8869b761ab222d33e93ed88489be22b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58842b3c9a462872a7b407d2c9d8a60fa8869b761ab222d33e93ed88489be22b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125359, "scanner": "repobility-supply-chain", "fingerprint": "041b321071334721a9dcb813074a60beea0db01e94d6d55f328e930c674740f5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|041b321071334721a9dcb813074a60beea0db01e94d6d55f328e930c674740f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125358, "scanner": "repobility-supply-chain", "fingerprint": "a476819670a6c13dabb2a35fce6e565bc9b1b30543fd701157761e6016a3db91", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a476819670a6c13dabb2a35fce6e565bc9b1b30543fd701157761e6016a3db91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125357, "scanner": "repobility-supply-chain", "fingerprint": "ff416e07823fa7c8a8586bbf9ec6d93d8c5b771d0b436ce2f4008df876e84955", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ff416e07823fa7c8a8586bbf9ec6d93d8c5b771d0b436ce2f4008df876e84955"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125356, "scanner": "repobility-supply-chain", "fingerprint": "0fa3483a42ed6568fa11b8c2b85adb036cd45b1e024366d0bc0753e0ce07ca67", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0fa3483a42ed6568fa11b8c2b85adb036cd45b1e024366d0bc0753e0ce07ca67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125355, "scanner": "repobility-supply-chain", "fingerprint": "7218c55466d589a42cc8bdb0608b59bb57f1b1e55811501b4f885a6cf683b180", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7218c55466d589a42cc8bdb0608b59bb57f1b1e55811501b4f885a6cf683b180"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125354, "scanner": "repobility-supply-chain", "fingerprint": "721861a5cab83dec45e21da12eb666c90fc0968d5ad60826d159b0ed001e6223", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|721861a5cab83dec45e21da12eb666c90fc0968d5ad60826d159b0ed001e6223"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125353, "scanner": "repobility-supply-chain", "fingerprint": "aecb2b2c28bbd118058d09bf46eea673ad14930bf2df6074b77da0ac52caa865", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aecb2b2c28bbd118058d09bf46eea673ad14930bf2df6074b77da0ac52caa865"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125352, "scanner": "repobility-supply-chain", "fingerprint": "ad83946ff013320cdf0e5325f1e97e2d58eca3482d53ea2e8d04ce710a9a6a96", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad83946ff013320cdf0e5325f1e97e2d58eca3482d53ea2e8d04ce710a9a6a96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-windows-desktop.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125351, "scanner": "repobility-supply-chain", "fingerprint": "71ef0ba7ebb50fb933b17c242a83c43c4aa07ef9a14ee23a715d1534ff4b50bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|71ef0ba7ebb50fb933b17c242a83c43c4aa07ef9a14ee23a715d1534ff4b50bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-windows-desktop.yml"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2`: `uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125350, "scanner": "repobility-supply-chain", "fingerprint": "d359026999df7cea852d2e378c579d378e49d730d7aeb007116808c66070c4e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d359026999df7cea852d2e378c579d378e49d730d7aeb007116808c66070c4e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-windows-desktop.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125349, "scanner": "repobility-supply-chain", "fingerprint": "6bc5a211f036fcb14081503b1fab7cb0baf5f0bd08323726566a0e2d56bf9dab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6bc5a211f036fcb14081503b1fab7cb0baf5f0bd08323726566a0e2d56bf9dab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-windows-desktop.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125348, "scanner": "repobility-supply-chain", "fingerprint": "c38bdf34e81aa9bdd998da3173ab7160a6afb9dfff82e6b0183b6ec77c437faf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c38bdf34e81aa9bdd998da3173ab7160a6afb9dfff82e6b0183b6ec77c437faf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-windows-desktop.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125347, "scanner": "repobility-supply-chain", "fingerprint": "40ed5a3bde837b753344ea01ff728d5a30fcd96257792004825dbdce025a7456", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40ed5a3bde837b753344ea01ff728d5a30fcd96257792004825dbdce025a7456"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-windows-desktop.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125346, "scanner": "repobility-supply-chain", "fingerprint": "3072dc7ad6ef295c396b7fcff0a8e3c013045f24f07571cefdd77067c4d87b4b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3072dc7ad6ef295c396b7fcff0a8e3c013045f24f07571cefdd77067c4d87b4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-smoke.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125345, "scanner": "repobility-supply-chain", "fingerprint": "34e52600674ba360edbeef3f14ece14b4f64d627126d1aca1db09f038eaaa9bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|34e52600674ba360edbeef3f14ece14b4f64d627126d1aca1db09f038eaaa9bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-smoke.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 125344, "scanner": "repobility-supply-chain", "fingerprint": "83ffba3e2aa12e87ecb74b49ac87a8bf77ef6e54af9cde6ce8f55dc84ec7dc73", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|83ffba3e2aa12e87ecb74b49ac87a8bf77ef6e54af9cde6ce8f55dc84ec7dc73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-smoke.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `eslint-plugin-cafe` pulled from URL/Git: `devDependencies.eslint-plugin-cafe` = `file:eslint-plugins` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 125332, "scanner": "repobility-supply-chain", "fingerprint": "6043c1c0472f7faa8f0a797df5d21f4cc9672499764548eecdca8032e6c75f95", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6043c1c0472f7faa8f0a797df5d21f4cc9672499764548eecdca8032e6c75f95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/backlog/import-active-features has no auth: Express route POST /api/backlog/import-active-features declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125331, "scanner": "repobility-route-auth", "fingerprint": "4e6bd3a2bc424bd322605acc2321951377a65dc66b5f75c0d2df928598b67f98", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4e6bd3a2bc424bd322605acc2321951377a65dc66b5f75c0d2df928598b67f98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/backlog.ts"}, "region": {"startLine": 327}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/backlog/items has no auth: Express route POST /api/backlog/items declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125330, "scanner": "repobility-route-auth", "fingerprint": "2710c700fc8e131fd5ef20159f9ba4349ed90fb0b88fe2e43af1e009f0a90e3d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2710c700fc8e131fd5ef20159f9ba4349ed90fb0b88fe2e43af1e009f0a90e3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/backlog.ts"}, "region": {"startLine": 301}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/task-outcome/terminal-state has no auth: Express route POST /api/task-outcome/terminal-state declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125329, "scanner": "repobility-route-auth", "fingerprint": "fd14494785816310350604c6b04f8fc98f778253542694d4b21c6c0e63f2cde3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|fd14494785816310350604c6b04f8fc98f778253542694d4b21c6c0e63f2cde3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/task-outcome.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/task-outcome/a1 has no auth: Express route POST /api/task-outcome/a1 declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125328, "scanner": "repobility-route-auth", "fingerprint": "4b30013542dc90502dcaa28916238abdcd709a2041ed7de37a3da7ac2f50c67b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4b30013542dc90502dcaa28916238abdcd709a2041ed7de37a3da7ac2f50c67b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/task-outcome.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/task-outcome/magic-word has no auth: Express route POST /api/task-outcome/magic-word declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125327, "scanner": "repobility-route-auth", "fingerprint": "8d28518ce055cb295f904489929858a83538976a0683faa9016d46e446fe0f6c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8d28518ce055cb295f904489929858a83538976a0683faa9016d46e446fe0f6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/task-outcome.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/task-outcome/cancel has no auth: Express route POST /api/task-outcome/cancel declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125326, "scanner": "repobility-route-auth", "fingerprint": "c9816d2c1bf7df0f8549acfd3ae51bd6a3200c7b39c1160d031e5744c861ed26", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|c9816d2c1bf7df0f8549acfd3ae51bd6a3200c7b39c1160d031e5744c861ed26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/task-outcome.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/threads/read/mark-all has no auth: Express route POST /api/threads/read/mark-all declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125325, "scanner": "repobility-route-auth", "fingerprint": "d8e93a123fc206f6d093a81af4d6b301c7b84ff5f2ed9564199a04fa70071b3b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d8e93a123fc206f6d093a81af4d6b301c7b84ff5f2ed9564199a04fa70071b3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/threads.ts"}, "region": {"startLine": 683}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /api/threads/:id has no auth: Express route DELETE /api/threads/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125324, "scanner": "repobility-route-auth", "fingerprint": "cbf20a3b55cb2dcf6f7ed9e1580338cfde7cbada304fc3c69da13865982061e3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|cbf20a3b55cb2dcf6f7ed9e1580338cfde7cbada304fc3c69da13865982061e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/threads.ts"}, "region": {"startLine": 538}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /api/threads/:id has no auth: Express route PATCH /api/threads/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125323, "scanner": "repobility-route-auth", "fingerprint": "4a35e41b4dd516a132adf08a7a892e36a4c1488775a41e3370c69a2d9dd47df0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4a35e41b4dd516a132adf08a7a892e36a4c1488775a41e3370c69a2d9dd47df0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/threads.ts"}, "region": {"startLine": 461}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/threads has no auth: Express route POST /api/threads declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125322, "scanner": "repobility-route-auth", "fingerprint": "2131b520855366448e3c3e58351f7b1a58008c9c8af91be957356bdbd863324e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2131b520855366448e3c3e58351f7b1a58008c9c8af91be957356bdbd863324e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/threads.ts"}, "region": {"startLine": 253}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/callbacks/guide-control has no auth: Express route POST /api/callbacks/guide-control declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125321, "scanner": "repobility-route-auth", "fingerprint": "9cc03d87f1ba488f5b2db7850d00f9a55fd371d856fa653339c7be1ddfbc7617", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9cc03d87f1ba488f5b2db7850d00f9a55fd371d856fa653339c7be1ddfbc7617"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/callback-guide-routes.ts"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/callbacks/guide-resolve has no auth: Express route POST /api/callbacks/guide-resolve declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125320, "scanner": "repobility-route-auth", "fingerprint": "5e5119c4b31c5b06320b1360fd9b4833acc83d58b5c2c922a4062680c2a357f8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5e5119c4b31c5b06320b1360fd9b4833acc83d58b5c2c922a4062680c2a357f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/callback-guide-routes.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/callbacks/get-available-guides has no auth: Express route POST /api/callbacks/get-available-guides declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125319, "scanner": "repobility-route-auth", "fingerprint": "e45b613449ba13b2d355e0fe8c02549bccad4340a07428beaf010cb10d1f5a6b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e45b613449ba13b2d355e0fe8c02549bccad4340a07428beaf010cb10d1f5a6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/callback-guide-routes.ts"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/callbacks/start-guide has no auth: Express route POST /api/callbacks/start-guide declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125318, "scanner": "repobility-route-auth", "fingerprint": "3b16a4a1f83810edfc3e80e1f7c166288a8ef06fa86e71d9afa350dadf0f653b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3b16a4a1f83810edfc3e80e1f7c166288a8ef06fa86e71d9afa350dadf0f653b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/callback-guide-routes.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/callbacks/update-guide-state has no auth: Express route POST /api/callbacks/update-guide-state declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125317, "scanner": "repobility-route-auth", "fingerprint": "7c03450bea37a4dfc451b00847feca1e8297298c7c7919e5d4565dbb9ec97631", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7c03450bea37a4dfc451b00847feca1e8297298c7c7919e5d4565dbb9ec97631"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/callback-guide-routes.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/memory/publish has no auth: Express route POST /api/memory/publish declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125316, "scanner": "repobility-route-auth", "fingerprint": "7f06fa528c483b8f17fa8147345b938d909081d0583f5e4a205299e13838c43b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7f06fa528c483b8f17fa8147345b938d909081d0583f5e4a205299e13838c43b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/memory-publish.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/projects/mkdir has no auth: Express route POST /api/projects/mkdir declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125315, "scanner": "repobility-route-auth", "fingerprint": "aa13b3468576782feb25a97eebe8524af2e79cae7e8447277fc4cb6032d78b56", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|aa13b3468576782feb25a97eebe8524af2e79cae7e8447277fc4cb6032d78b56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/projects-mkdir.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/sessions/sop-bookmark has no auth: Express route POST /api/sessions/sop-bookmark declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125314, "scanner": "repobility-route-auth", "fingerprint": "de2b7eee32f513e45f3ed6fcf061c1cc80c07ca78581f6d580374d6bd39ff1c3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|de2b7eee32f513e45f3ed6fcf061c1cc80c07ca78581f6d580374d6bd39ff1c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/session-hooks.ts"}, "region": {"startLine": 267}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/sessions/seal has no auth: Express route POST /api/sessions/seal declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125313, "scanner": "repobility-route-auth", "fingerprint": "8c9d8d34c75ba9f565ff87c40fe658b555ece92c836b469b7a88069d5050372d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8c9d8d34c75ba9f565ff87c40fe658b555ece92c836b469b7a88069d5050372d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/session-hooks.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT /api/config/default-cat has no auth: Express route PUT /api/config/default-cat declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125312, "scanner": "repobility-route-auth", "fingerprint": "00113e2946622fabb52902ea503a64b47340e0e12dd0ebf4550984b2fc147ae4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|00113e2946622fabb52902ea503a64b47340e0e12dd0ebf4550984b2fc147ae4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/config.ts"}, "region": {"startLine": 419}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /api/config/env has no auth: Express route PATCH /api/config/env declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125311, "scanner": "repobility-route-auth", "fingerprint": "426dceb3f9fb720f039325ae5527331870adc0fea8c09fff2b318aff1cf15fd0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|426dceb3f9fb720f039325ae5527331870adc0fea8c09fff2b318aff1cf15fd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/config.ts"}, "region": {"startLine": 294}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /api/config/owner has no auth: Express route PATCH /api/config/owner declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125310, "scanner": "repobility-route-auth", "fingerprint": "27146308cf0da43637410b3cf16c4408f9aaf9d5707c968219fa55def714f1c9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|27146308cf0da43637410b3cf16c4408f9aaf9d5707c968219fa55def714f1c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/config.ts"}, "region": {"startLine": 263}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /api/config/co-creator has no auth: Express route PATCH /api/config/co-creator declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125309, "scanner": "repobility-route-auth", "fingerprint": "7933e7ca9068edc762bf7e5c63c5ac6e7320203f776cc8d8febfc5210916c412", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7933e7ca9068edc762bf7e5c63c5ac6e7320203f776cc8d8febfc5210916c412"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/config.ts"}, "region": {"startLine": 260}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /api/config has no auth: Express route PATCH /api/config declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125308, "scanner": "repobility-route-auth", "fingerprint": "35afb16da161af2a747729c1d8de20e41f44f7f8fc89ae5b92f11c1929296833", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|35afb16da161af2a747729c1d8de20e41f44f7f8fc89ae5b92f11c1929296833"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/config.ts"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/cats has no auth: Express route POST /api/cats declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 125307, "scanner": "repobility-route-auth", "fingerprint": "24acb47aaff8549ccfc1296d51f5e77f155fc4c30ecf6fc60a2c408ab03edcba", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|24acb47aaff8549ccfc1296d51f5e77f155fc4c30ecf6fc60a2c408ab03edcba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/cats.ts"}, "region": {"startLine": 479}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/embeddings has no auth: Handler `create_embeddings` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 125306, "scanner": "repobility-route-auth", "fingerprint": "5814fe5cdeb343a434b2b4385f9eab922c4df469547789a41ba1bd804d9b7733", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|5814fe5cdeb343a434b2b4385f9eab922c4df469547789a41ba1bd804d9b7733"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/embed-api.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/text/refine has no auth: Handler `refine` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 125305, "scanner": "repobility-route-auth", "fingerprint": "569e603e1b74551608a2423222d8bc21eb528ef0b98695c52e0a5ba7975b7131", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|569e603e1b74551608a2423222d8bc21eb528ef0b98695c52e0a5ba7975b7131"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/llm-postprocess-api.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/audio/transcriptions has no auth: Handler `transcribe` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 125304, "scanner": "repobility-route-auth", "fingerprint": "68beade11f514b17c1ae829e07a456b140174e28804b8edef69c2f716ff44946", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|68beade11f514b17c1ae829e07a456b140174e28804b8edef69c2f716ff44946"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/qwen3-asr-api.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/audio/transcriptions has no auth: Handler `transcribe` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 125303, "scanner": "repobility-route-auth", "fingerprint": "c0bd45e891e5feda4599f6aa5d69ec2c5312b65c44a14d23d320abfeaff60cb4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c0bd45e891e5feda4599f6aa5d69ec2c5312b65c44a14d23d320abfeaff60cb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/whisper-api.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /v1/audio/speech has no auth: Handler `synthesize_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 125302, "scanner": "repobility-route-auth", "fingerprint": "e47c60bcba57e2613d9b1b8a288a15886ec4eb43f8aeacd25ab7743e92ef0b59", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|e47c60bcba57e2613d9b1b8a288a15886ec4eb43f8aeacd25ab7743e92ef0b59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/tts-api.py"}, "region": {"startLine": 481}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._ensure_loaded` used but never assigned in __init__: Method `synthesize` of class `PiperAdapter` reads `self._ensure_loaded`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 125301, "scanner": "repobility-ast-engine", "fingerprint": "1f5ca4053415bf963931a59653a8d190f53c44a77cec02e3bd741ed16a984012", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1f5ca4053415bf963931a59653a8d190f53c44a77cec02e3bd741ed16a984012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/tts-api.py"}, "region": {"startLine": 323}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._model_paths` used but never assigned in __init__: Method `_ensure_loaded` of class `PiperAdapter` reads `self._model_paths`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 125300, "scanner": "repobility-ast-engine", "fingerprint": "b4fb091ed6b722e4aea7f7f0b81a50a981f62d4dc51c9a8d6d063ef726102080", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b4fb091ed6b722e4aea7f7f0b81a50a981f62d4dc51c9a8d6d063ef726102080"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/tts-api.py"}, "region": {"startLine": 311}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 125299, "scanner": "repobility-journey-contract", "fingerprint": "14226beadde145d38c6010eb890ac856ef5fddb947ddf0d2cd2810ac1bb007c8", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|81|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/hub-accounts.sections.tsx"}, "region": {"startLine": 81}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 125298, "scanner": "repobility-journey-contract", "fingerprint": "3a2f9ebbde2a74d1ce62bb71884942f18fabdfb7fa5ee42ade2874d167bd5059", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|124|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/WeComBotSetupPanel.tsx"}, "region": {"startLine": 124}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 125297, "scanner": "repobility-journey-contract", "fingerprint": "2314d103f86dc3158e9afa28d2a6641d745076e6c61782a65ad1ac85cd7f2eb5", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|313|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/UnifiedAuthModal.tsx"}, "region": {"startLine": 313}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 125296, "scanner": "repobility-journey-contract", "fingerprint": "56f04d862727a97f678db5ec9b6c3d73a26e03b741e38a3d1b403b4bc023925f", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|720|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 2}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/connector-hub.ts"}, "region": {"startLine": 720}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 125262, "scanner": "repobility-threat-engine", "fingerprint": "5462bd3095061e694f39b1bc30a028056791e72d62d41614455718a7e8fe4d0c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5462bd3095061e694f39b1bc30a028056791e72d62d41614455718a7e8fe4d0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/services/whisper-api.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 125245, "scanner": "repobility-threat-engine", "fingerprint": "81f5c3c6fee0d8d29956d958b2e09e338504e960331e045d8f0ef56ea0b60494", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|73|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/tools/hub-action-tools.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 125244, "scanner": "repobility-threat-engine", "fingerprint": "924b4902e237df9b5de6486761a1a9f30e51409af33bf6a5b07e29d84ae3822d", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(expandHomeDir(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|21|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/utils/path-utils.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 125243, "scanner": "repobility-threat-engine", "fingerprint": "e91a0e83f8105e0dc2e91cb3beb15d241346bc9d8316e9b7bf12d04b2d25cb84", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|69|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/tools/file-tools.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 125242, "scanner": "repobility-threat-engine", "fingerprint": "fd72fb6b9f4f7ca5936edc82a8f4b181ce455fe284a9c366fe3a09596965bebe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd72fb6b9f4f7ca5936edc82a8f4b181ce455fe284a9c366fe3a09596965bebe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/utils/cli-resolve.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 125239, "scanner": "repobility-threat-engine", "fingerprint": "a5243f1281906ccc9508598babdb71e40f0bbb00e9d0ff7bfb8ad0ea5ecff0a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/api/authorization/respond', async (request, reply) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a5243f1281906ccc9508598babdb71e40f0bbb00e9d0ff7bfb8ad0ea5ecff0a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/authorization.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 125238, "scanner": "repobility-threat-engine", "fingerprint": "8d68ad247227b9a56fb21fefc197c19b4c34f7605633786b5268d251ef548e3b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/api/audio/start', async (req, reply) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8d68ad247227b9a56fb21fefc197c19b4c34f7605633786b5268d251ef548e3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/audio-proxy.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 125237, "scanner": "repobility-threat-engine", "fingerprint": "ccf5e4ebbf7db44ca318f6ab01e1c19008d5469b9b520b68c22c595a47fca183", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/api/agent-hooks/sync', async (request, reply) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ccf5e4ebbf7db44ca318f6ab01e1c19008d5469b9b520b68c22c595a47fca183"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/routes/agent-hooks.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 125236, "scanner": "repobility-threat-engine", "fingerprint": "21fa5fe22b1302bf00e1dba7b9d47508ab58c245f4c14f69b9a50df52942cf6a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21fa5fe22b1302bf00e1dba7b9d47508ab58c245f4c14f69b9a50df52942cf6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/restore-chat-md-to-redis.mjs"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 125235, "scanner": "repobility-threat-engine", "fingerprint": "2f53954b1cdc316a814c82c502958a7549caa401dced3edf1d5b54ac7c718239", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2f53954b1cdc316a814c82c502958a7549caa401dced3edf1d5b54ac7c718239"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/infrastructure/connectors/adapters/weixin-cdn.ts"}, "region": {"startLine": 175}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 125229, "scanner": "repobility-threat-engine", "fingerprint": "314003a04486fa2b32fee0a7e74aa0e995c399678bf6fa4581d367d753cd9e2b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|314003a04486fa2b32fee0a7e74aa0e995c399678bf6fa4581d367d753cd9e2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/infrastructure/harness-eval/capability-wakeup/eval-capability-wakeup-trials.ts"}, "region": {"startLine": 208}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 125228, "scanner": "repobility-threat-engine", "fingerprint": "7b8badcfac0aa3496b615d40c13ddc3ca33c58ee39b609e63845bf4ea973f7c6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7b8badcfac0aa3496b615d40c13ddc3ca33c58ee39b609e63845bf4ea973f7c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/infrastructure/connectors/mention-parser.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 125227, "scanner": "repobility-threat-engine", "fingerprint": "09913c6b6485e1516b856073095f2d0924c2d847d8f4e721ee85141ffc440e66", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(regexStr", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|09913c6b6485e1516b856073095f2d0924c2d847d8f4e721ee85141ffc440e66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/memory/RecallFixtureRunner.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 125226, "scanner": "repobility-threat-engine", "fingerprint": "29be035477b3f3e59a0ef734919cbe3d553fa0fe22974146903a833a3d3200c9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|29be035477b3f3e59a0ef734919cbe3d553fa0fe22974146903a833a3d3200c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/limb/LimbPairingStore.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 125214, "scanner": "repobility-threat-engine", "fingerprint": "43698bec7a54949b4600475c51136b565fbbe426c11a21494a68acd5296c8909", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|43698bec7a54949b4600475c51136b565fbbe426c11a21494a68acd5296c8909"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/infrastructure/websocket/BroadcastRateMonitor.ts"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 125213, "scanner": "repobility-threat-engine", "fingerprint": "045b029ccbd4a3592acef3683e933964a35da138c3e33a51b9ef03150b794c4b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|045b029ccbd4a3592acef3683e933964a35da138c3e33a51b9ef03150b794c4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/health/ActivityTracker.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 125212, "scanner": "repobility-threat-engine", "fingerprint": "9be1281713a25718e4238954166648756ef61702b3031a5b2d9a83a2b89c2c62", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9be1281713a25718e4238954166648756ef61702b3031a5b2d9a83a2b89c2c62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/catagent/catagent-stream-parser.ts"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 125211, "scanner": "repobility-threat-engine", "fingerprint": "f2571ec60d96702a6879a47654436b0f039380c756e46ba00bfdb9d344ed02be", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2571ec60d96702a6879a47654436b0f039380c756e46ba00bfdb9d344ed02be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/antigravity/antigravity-ls-discovery.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 125210, "scanner": "repobility-threat-engine", "fingerprint": "f23cc921a519d29092d284846c330cb8eca9dc9b0e8b71b820a37cdc0251fddd", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Bytes(input.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f23cc921a519d29092d284846c330cb8eca9dc9b0e8b71b820a37cdc0251fddd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/antigravity/antigravity-cascade-health.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 125196, "scanner": "repobility-threat-engine", "fingerprint": "d42ff9a55df6b5ebd3acc7521ede107a565d72ae228800cda8c01ae346fdf6ba", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_cache.delete(catId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d42ff9a55df6b5ebd3acc7521ede107a565d72ae228800cda8c01ae346fdf6ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/config/session-strategy-overrides.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 125195, "scanner": "repobility-threat-engine", "fingerprint": "1bdd3f055c33d6d0862c7d279814ce057f1898d1473e50238c3643e4451a2ef6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hash.update(`dir-cycle\\0${prefix}\\0`);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1bdd3f055c33d6d0862c7d279814ce057f1898d1473e50238c3643e4451a2ef6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/config/governance/skill-conflict.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 125194, "scanner": "repobility-threat-engine", "fingerprint": "b0af8e45836e5c5137f7400eb7425ca69bea92835aadd15393313ae5ac73cf87", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tray.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b0af8e45836e5c5137f7400eb7425ca69bea92835aadd15393313ae5ac73cf87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/main.js"}, "region": {"startLine": 129}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 125192, "scanner": "repobility-threat-engine", "fingerprint": "5bd0f14ef02e66b598baae78c1ef39897008aab95b81a1a808f4494240affda8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5bd0f14ef02e66b598baae78c1ef39897008aab95b81a1a808f4494240affda8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/config/capabilities/capability-write-guards.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 125191, "scanner": "repobility-threat-engine", "fingerprint": "ef1c7819af6d4de8e38d476d2428525e43a9e3f034edc676e6f6ef1e38bc816a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef1c7819af6d4de8e38d476d2428525e43a9e3f034edc676e6f6ef1e38bc816a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/scripts/sync-agent-hooks-offline.mjs"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 125190, "scanner": "repobility-threat-engine", "fingerprint": "bebec377133cb66163ba789de73508d4d8b49b3fafb62b3cfe7fcee38db0b33e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(A", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bebec377133cb66163ba789de73508d4d8b49b3fafb62b3cfe7fcee38db0b33e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/main.js"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 125188, "scanner": "repobility-threat-engine", "fingerprint": "e030335cea21f046aaaa7a96e1d671fc604e63afcbd0d826b784f77d9fc048dc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(raw", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e030335cea21f046aaaa7a96e1d671fc604e63afcbd0d826b784f77d9fc048dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/routing/source-ranking.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 125187, "scanner": "repobility-threat-engine", "fingerprint": "49c3afa6d10814dea59525de3c2878a01db4a201a689669780f7cc743ba2cbc5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|49c3afa6d10814dea59525de3c2878a01db4a201a689669780f7cc743ba2cbc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/routing/final-routing-slot.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 125186, "scanner": "repobility-threat-engine", "fingerprint": "f96dc5045fa799852d155f2430474a9483bf2b8c73b077dbb8d76fe16dd4b6b7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(markdown", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f96dc5045fa799852d155f2430474a9483bf2b8c73b077dbb8d76fe16dd4b6b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/writing-skills/render-graphs.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 125181, "scanner": "repobility-threat-engine", "fingerprint": "30df85dac072b3bb23e2050c986030c3f54d8ea41ed70e6449fa49918ecd3ed1", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((e) => `${e.isDirectory() ? '[dir]  ' : '[file] '}${e.name}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|30df85dac072b3bb23e2050c986030c3f54d8ea41ed70e6449fa49918ecd3ed1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/catagent/catagent-read-tools.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 125180, "scanner": "repobility-threat-engine", "fingerprint": "ef4c04112e3bfc30a9dc63eac0325eedc02da135fa36ae52fc35d2ea5840bc30", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((entry) => `${entry.isDirectory() ? '[dir]  ' : '[file] '}${entry.name}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef4c04112e3bfc30a9dc63eac0325eedc02da135fa36ae52fc35d2ea5840bc30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/agents/providers/antigravity/executors/IdeReadToolExecutor.ts"}, "region": {"startLine": 237}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 125179, "scanner": "repobility-threat-engine", "fingerprint": "dbf3fed4438dcc3ee04509a09b7d8106a59f8b8dcaf65c01a1a73e51898b49d5", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((line) => `  ${line}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dbf3fed4438dcc3ee04509a09b7d8106a59f8b8dcaf65c01a1a73e51898b49d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cat-cafe-skills/writing-skills/render-graphs.js"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 125221, "scanner": "repobility-threat-engine", "fingerprint": "7671ecb6d34a53eac786d7604d9e30c1f6047685b51c7ca6232794c0c961f788", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7671ecb6d34a53eac786d7604d9e30c1f6047685b51c7ca6232794c0c961f788"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/stores/redis/RedisPendingRequestStore.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 125220, "scanner": "repobility-threat-engine", "fingerprint": "1fe4ffc10ce520ecc5211e45f1155baee78f02dd716c274b866fbf3d2f02bed6", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1fe4ffc10ce520ecc5211e45f1155baee78f02dd716c274b866fbf3d2f02bed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/stores/redis/RedisCommunityIssueStore.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 125219, "scanner": "repobility-threat-engine", "fingerprint": "c831c0ed989fc69e6633869ac0584e2d6dd750b3e2213a9393984969895c010a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c831c0ed989fc69e6633869ac0584e2d6dd750b3e2213a9393984969895c010a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/api/src/domains/cats/services/runtime-session/RedisRuntimeSessionStore.ts"}, "region": {"startLine": 105}}}]}]}]}