{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "QUAL003", "name": "Magic number used as default arg", "shortDescription": {"text": "Magic number used as default arg"}, "fullDescription": {"text": "Using hardcoded default values for complex configuration objects makes the code brittle and difficult to manage. Consider using a dedicated factory or builder pattern.\n\nAuto-promoted from proposal 444 on 2026-05-12. Synth confidence: 0.85. FP estimate: 0.00."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "CRYP001", "name": "Crypto \u2014 plaintext HTTP for sensitive endpoint", "shortDescription": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "fullDescription": {"text": "Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"scanner": "repobility", "category": "crypto", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "XSS001", "name": "Cross-site scripting \u2014 dangerouslySetInnerHTML", "shortDescription": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "fullDescription": {"text": "dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"scanner": "repobility", "category": "injection", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "JRN006", "name": "Documented legal route has no visible implementation", "shortDescription": {"text": "Documented legal route has no visible implementation"}, "fullDescription": {"text": "A public legal/privacy/terms/biometric route is referenced, but no matching frontend page or backend route was found."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /ll"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llms.mdx/::...slug."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "AI-assisted edits often create a new sibling file instead of integrating the change into the existing module. That leaves two paths for future maintainers to understand and can hide the code that is actually wired into the app."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "QUAL005", "name": "Cluster of TODOs in one file", "shortDescription": {"text": "Cluster of TODOs in one file"}, "fullDescription": {"text": "Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "low", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "AIC005", "name": "Duplicate top-level symbol appears in a patch-style file", "shortDescription": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "fullDescription": {"text": "A generated replacement file defining the same public function or class name as another module can mean the new logic is not actually wired into the running code."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/337"}, "properties": {"repository": "TypeCellOS/BlockNote", "repoUrl": "https://github.com/TypeCellOS/BlockNote", "branch": "main"}, "results": [{"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21876, "scanner": "repobility", "fingerprint": "b074ca9064837bd1af2a6283326a1711", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "default 5", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react/src/components/Comments/ThreadsSidebar.tsx"}, "region": {"startLine": 179}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13860, "scanner": "repobility", "fingerprint": "0ffc9ddab24a4e4d0aee177bae7166fc", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/xl-odt-exporter/src/odt/odtExporter.tsx"}, "region": {"startLine": 197}}}]}, {"ruleId": "XSS001", "level": "warning", "message": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "properties": {"repobilityId": 13429, "scanner": "repobility", "fingerprint": "3b43e92bfd1a2bae27a1ab181f7afda2", "category": "injection", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "dangerouslySetInnerHTML", "aljefra_cwe": ["CWE-79"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "react-dangerously-set-html"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/xl-odt-exporter/src/odt/odtExporter.tsx"}, "region": {"startLine": 243}}}]}, {"ruleId": "XSS001", "level": "warning", "message": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "properties": {"repobilityId": 13428, "scanner": "repobility", "fingerprint": "40278d7d9daf21d95bdc524523c29116", "category": "injection", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "dangerouslySetInnerHTML", "aljefra_cwe": ["CWE-79"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "react-dangerously-set-html"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/xl-odt-exporter/src/odt/odtExporter.tsx"}, "region": {"startLine": 236}}}]}, {"ruleId": "XSS001", "level": "warning", "message": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "properties": {"repobilityId": 13427, "scanner": "repobility", "fingerprint": "5fba543d2fccf604d7aa88ac0bdbf5bc", "category": "injection", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "dangerouslySetInnerHTML", "aljefra_cwe": ["CWE-79"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "react-dangerously-set-html"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react/src/components/FormattingToolbar/ExperimentalMobileFormattingToolbarController.tsx"}, "region": {"startLine": 76}}}]}, {"ruleId": "XSS001", "level": "warning", "message": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "properties": {"repobilityId": 13426, "scanner": "repobility", "fingerprint": "280759ce203a1a9917e217510d3c1f82", "category": "injection", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "dangerouslySetInnerHTML", "aljefra_cwe": ["CWE-79"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "react-dangerously-set-html"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react/src/components/Popovers/GenericPopover.tsx"}, "region": {"startLine": 175}}}]}, {"ruleId": "XSS001", "level": "warning", "message": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "properties": {"repobilityId": 13425, "scanner": "repobility", "fingerprint": "d4d77f293da9ddfc58c699950e02c1d1", "category": "injection", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "dangerouslySetInnerHTML", "aljefra_cwe": ["CWE-79"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "react-dangerously-set-html"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/(home)/_components/ui/FeatureWindow.tsx"}, "region": {"startLine": 68}}}]}, {"ruleId": "JRN006", "level": "warning", "message": {"text": "Documented legal route has no visible implementation"}, "properties": {"repobilityId": 10660, "scanner": "repobility-journey-contract", "fingerprint": "ef99843a813249f1af7892df2a917b89164c2dd9bb7ed951beaf6a02a96e4cc8", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Internal /legal route reference does not match discovered frontend pages or backend route shapes.", "evidence": {"rule_id": "JRN006", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|ef99843a813249f1af7892df2a917b89164c2dd9bb7ed951beaf6a02a96e4cc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/redirects.ts"}, "region": {"startLine": 252}}}]}, {"ruleId": "JRN006", "level": "warning", "message": {"text": "Documented legal route has no visible implementation"}, "properties": {"repobilityId": 10659, "scanner": "repobility-journey-contract", "fingerprint": "064b4c3ea650b8fd6d82d47567d08570ce5383b0c59fa424cf2fbe6ad2745665", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Internal /legal route reference does not match discovered frontend pages or backend route shapes.", "evidence": {"rule_id": "JRN006", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|064b4c3ea650b8fd6d82d47567d08570ce5383b0c59fa424cf2fbe6ad2745665"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/redirects.ts"}, "region": {"startLine": 247}}}]}, {"ruleId": "JRN006", "level": "warning", "message": {"text": "Documented legal route has no visible implementation"}, "properties": {"repobilityId": 10658, "scanner": "repobility-journey-contract", "fingerprint": "a8b1d23231d0f78c3b427c3529c7a735648f65b2c6dc2903b96abddf1b027549", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Internal /legal route reference does not match discovered frontend pages or backend route shapes.", "evidence": {"rule_id": "JRN006", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|a8b1d23231d0f78c3b427c3529c7a735648f65b2c6dc2903b96abddf1b027549"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/components/Footer.tsx"}, "region": {"startLine": 125}}}]}, {"ruleId": "JRN006", "level": "warning", "message": {"text": "Documented legal route has no visible implementation"}, "properties": {"repobilityId": 10657, "scanner": "repobility-journey-contract", "fingerprint": "36d7e830fc3976f7ed402eba0f14ad1b753c13580127630bf1c4aa697bdb9cb9", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Internal /legal route reference does not match discovered frontend pages or backend route shapes.", "evidence": {"rule_id": "JRN006", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|36d7e830fc3976f7ed402eba0f14ad1b753c13580127630bf1c4aa697bdb9cb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/components/Footer.tsx"}, "region": {"startLine": 120}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llms.mdx/::...slug."}, "properties": {"repobilityId": 10655, "scanner": "repobility-access-control", "fingerprint": "b4e568a3474f164e4b57235a13e52715688b1ed3d41cebfc743dc714699fd583", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llms.mdx/::...slug", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|docs/app/llms.mdx/ ...slug /route.ts|11|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/llms.mdx/[[...slug]]/route.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llms-full.txt."}, "properties": {"repobilityId": 10654, "scanner": "repobility-access-control", "fingerprint": "47ab32123525bd2e31111a58c6311b66b12bd3cff3f9537b6371c8cfe3ac9090", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llms-full.txt", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|6|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/llms-full.txt/route.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llms.txt."}, "properties": {"repobilityId": 10653, "scanner": "repobility-access-control", "fingerprint": "7e9db86c80068685c83ff9d4df69349196e934248b7411b0c71faf9ead81bd75", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llms.txt", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|docs/app/llms.txt/route.ts|5|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/llms.txt/route.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 10652, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 3, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 10651, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10645, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c31a4033b9afdd70647e99d4868f3b6a73cd5b3e20a88f3c3d4a08d049e57a82", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ariakit/src/comments/Editor.tsx", "duplicate_line": 1, "correlation_key": "fp|c31a4033b9afdd70647e99d4868f3b6a73cd5b3e20a88f3c3d4a08d049e57a82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mantine/src/comments/Editor.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10644, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e1a5b0d49e3d8dcee671359716365b12794bb02dd7e607940c2367ccfb6b7618", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ariakit/src/comments/Comment.tsx", "duplicate_line": 9, "correlation_key": "fp|e1a5b0d49e3d8dcee671359716365b12794bb02dd7e607940c2367ccfb6b7618"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mantine/src/comments/Comment.tsx"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10643, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1095e8c0ca305816103e9c8411e4607a8f4131b3e52027d3f6cfe4c056b1fffd", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ariakit/src/badge/Badge.tsx", "duplicate_line": 13, "correlation_key": "fp|1095e8c0ca305816103e9c8411e4607a8f4131b3e52027d3f6cfe4c056b1fffd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mantine/src/badge/Badge.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10642, "scanner": "repobility-ai-code-hygiene", "fingerprint": "63ae897c4ce4339ba6ca5c52248b2315ecc64bf1d8692b408b90adbae5bd8930", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/code-block/vite.config.ts", "duplicate_line": 41, "correlation_key": "fp|63ae897c4ce4339ba6ca5c52248b2315ecc64bf1d8692b408b90adbae5bd8930"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/vite.config.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10641, "scanner": "repobility-ai-code-hygiene", "fingerprint": "879766b077c6156688b4a611a76c64e597ab9d929723e9de87670adb356f96f3", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ariakit/vite.config.ts", "duplicate_line": 33, "correlation_key": "fp|879766b077c6156688b4a611a76c64e597ab9d929723e9de87670adb356f96f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/vite.config.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10640, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d17e1940cd04efe9b3a33d2519affa29c0ebcc0bc502cd35066faaa9a536644d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/schema/inlineContent/createSpec.ts", "duplicate_line": 57, "correlation_key": "fp|d17e1940cd04efe9b3a33d2519affa29c0ebcc0bc502cd35066faaa9a536644d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/schema/styles/createSpec.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10639, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1d8c43ccc2ca6e3cd0139df41a2b49660eff999505b3c31f40d11f02aaf9443b", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/mantine/src/defaultThemes copy.ts", "duplicate_line": 44, "correlation_key": "fp|1d8c43ccc2ca6e3cd0139df41a2b49660eff999505b3c31f40d11f02aaf9443b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/editor/defaultColors.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10638, "scanner": "repobility-ai-code-hygiene", "fingerprint": "834d4604a0392985056adad51d22dd4075947ac094fa366260b36342ff6add9d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/blocks/ListItem/BulletListItem/block.ts", "duplicate_line": 49, "correlation_key": "fp|834d4604a0392985056adad51d22dd4075947ac094fa366260b36342ff6add9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/blocks/ListItem/NumberedListItem/block.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10637, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4c6f70068fd642de8454fb88f566f65085030b5d1075a24376b51ac8fd9a5371", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/blocks/Audio/block.ts", "duplicate_line": 24, "correlation_key": "fp|4c6f70068fd642de8454fb88f566f65085030b5d1075a24376b51ac8fd9a5371"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/blocks/Image/block.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10636, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43ac978e03484e0502dece06774512a51f0931b5bebbacef2b4d2a97017f6b03", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/api/exporters/html/util/serializeBlocksExternalHTML.ts", "duplicate_line": 52, "correlation_key": "fp|43ac978e03484e0502dece06774512a51f0931b5bebbacef2b4d2a97017f6b03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/api/exporters/html/util/serializeBlocksInternalHTML.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10635, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e89534517245511951e4675a34f6e9773f0ae8a5d50f84bbc40d987219754ed9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ariakit/vite.config.ts", "duplicate_line": 34, "correlation_key": "fp|e89534517245511951e4675a34f6e9773f0ae8a5d50f84bbc40d987219754ed9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/code-block/vite.config.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10634, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6728618de7e437d269f9cae15d2a8ed9e550fbd50a0c100a7fec3e0703674f09", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ariakit/src/menu/Button.tsx", "duplicate_line": 8, "correlation_key": "fp|6728618de7e437d269f9cae15d2a8ed9e550fbd50a0c100a7fec3e0703674f09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ariakit/src/sideMenu/SideMenuButton.tsx"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 10633, "scanner": "repobility-ai-code-hygiene", "fingerprint": "585c363b2fa7b4ba09eb4ed36069a337eaeddb766f580db86b3381adc020cf51", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "copy", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "packages/mantine/src/defaultThemes.ts", "correlation_key": "fp|585c363b2fa7b4ba09eb4ed36069a337eaeddb766f580db86b3381adc020cf51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mantine/src/defaultThemes copy.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "QUAL005", "level": "note", "message": {"text": "Cluster of TODOs in one file"}, "properties": {"repobilityId": 22173, "scanner": "repobility", "fingerprint": "fc655b780090bc24150e4e46fb777187", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "TODO: in a future version, we might want to implement", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "todo-bomb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/schema/blocks/createSpec.ts"}, "region": {"startLine": 224}}}]}, {"ruleId": "QUAL005", "level": "note", "message": {"text": "Cluster of TODOs in one file"}, "properties": {"repobilityId": 22172, "scanner": "repobility", "fingerprint": "c6007ae3ed8b591cf29ff17082c8f5d0", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "TODO: if REST API becomes popular, all interactions (click handlers) should implement", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "todo-bomb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react/src/components/Comments/Comment.tsx"}, "region": {"startLine": 44}}}]}, {"ruleId": "QUAL005", "level": "note", "message": {"text": "Cluster of TODOs in one file"}, "properties": {"repobilityId": 22171, "scanner": "repobility", "fingerprint": "612b78fbc386815b161bdcd318f068c5", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "TODO: if REST API becomes popular, all interactions (click handlers) should implement", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "todo-bomb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/react/src/components/Comments/Thread.tsx"}, "region": {"startLine": 64}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 10656, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 10650, "scanner": "repobility-threat-engine", "fingerprint": "0dc9949aa0c579bad577e6bb0feaf2cd95d8cd89ee80ec4ce489af7333d4b413", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML +=", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|109|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/blocks/defaultBlockHelpers.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 10646, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e53b39de90800a6a051948593276bbf78301fec58295807da6624a96c744a620", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "darkDefaultTheme", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "packages/mantine/src/defaultThemes.ts", "correlation_key": "fp|e53b39de90800a6a051948593276bbf78301fec58295807da6624a96c744a620"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mantine/src/defaultThemes copy.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10649, "scanner": "repobility-threat-engine", "fingerprint": "82c697304fc0b427081d0e05cda26cf0dc9d66529f1f3351996374404799ecf9", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|251|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/xl-ai/src/prosemirror/agent.ts"}, "region": {"startLine": 251}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10648, "scanner": "repobility-threat-engine", "fingerprint": "7f886133a3b608d380a59badfb495e624837d85b4c2d2ff1c90cfbb44ff48345", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|53|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/demo/_components/utils.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10647, "scanner": "repobility-threat-engine", "fingerprint": "e9885625242a9fbbfa25cd1a127c5b382701eb715805588ff421625e93c704c4", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|103|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/demo/_components/DemoEditor.tsx"}, "region": {"startLine": 103}}}]}]}]}