{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /do"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /tag."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC005", "name": "Duplicate top-level symbol appears in a patch-style file", "shortDescription": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "fullDescription": {"text": "Keep one authoritative implementation, update imports to point at it, and remove or rename the duplicate symbol."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "Use a server-side one-time authorization code tied to a registered callback allowlist. Do not append access tokens to callback URLs or fragments."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/487"}, "properties": {"repository": "medusajs/medusa", "repoUrl": "https://github.com/medusajs/medusa.git", "branch": "develop"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 28733, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 28732, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28727, "scanner": "repobility-journey-contract", "fingerprint": "1bcea263b9e9cd7c4448d9a81c79fea43b81eb0cd0be71e858a82971f4bc44a3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin", "correlation_key": "fp|1bcea263b9e9cd7c4448d9a81c79fea43b81eb0cd0be71e858a82971f4bc44a3", "backend_endpoint_count": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "www/packages/remark-rehype-plugins/src/change-links-md.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28726, "scanner": "repobility-journey-contract", "fingerprint": "665cea3ea5501a18f114c051e1ef8580a8a804def51ec88e26551a384fc9537d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/store", "correlation_key": "fp|665cea3ea5501a18f114c051e1ef8580a8a804def51ec88e26551a384fc9537d", "backend_endpoint_count": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "www/packages/remark-rehype-plugins/src/change-links-md.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28725, "scanner": "repobility-journey-contract", "fingerprint": "b2298683a7e970f1f411d2d38cc4bcf94215689c2fea56f30cfd7fe133366fdd", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/store", "correlation_key": "fp|b2298683a7e970f1f411d2d38cc4bcf94215689c2fea56f30cfd7fe133366fdd", "backend_endpoint_count": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "www/packages/docs-ui/src/constants.tsx"}, "region": {"startLine": 326}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28724, "scanner": "repobility-journey-contract", "fingerprint": "0953706d55b5a71dc7ec190662fdf8ddec319e51b3f9e06316298f367a4bfe8b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin", "correlation_key": "fp|0953706d55b5a71dc7ec190662fdf8ddec319e51b3f9e06316298f367a4bfe8b", "backend_endpoint_count": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "www/packages/docs-ui/src/constants.tsx"}, "region": {"startLine": 320}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 28723, "scanner": "repobility-journey-contract", "fingerprint": "845c2c0c1fec967909460f947fd4b35eebdc172ad14ee2b06cd37c2cd0529311", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|370|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/js-sdk/src/client.ts"}, "region": {"startLine": 370}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 28722, "scanner": "repobility-journey-contract", "fingerprint": "c558ff727f93c7524fbcec7fa674c815f3db040294c1f396854add4272d7a961", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|366|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/js-sdk/src/client.ts"}, "region": {"startLine": 366}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /download/:area."}, "properties": {"repobilityId": 28720, "scanner": "repobility-access-control", "fingerprint": "98499614b750c924dd24a335ad0e5a7fab3fd720e127e720eff3eee894b32059", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/download/:area", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / area /route.ts|11|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "www/apps/api-reference/app/download/[area]/route.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /schema."}, "properties": {"repobilityId": 28719, "scanner": "repobility-access-control", "fingerprint": "1d923565087080673194a843b04104e419f9ea90d66768606b7ebb25537f753e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/schema", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|5|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "www/apps/api-reference/app/schema/route.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /references/:...slug/route."}, "properties": {"repobilityId": 28718, "scanner": "repobility-access-control", "fingerprint": "20e70e7bd8ffdc4e3ea9ce4eff4e2f09f2204c089185e705c41c0472d1cc1f75", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/references/:...slug/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / ...slug /route.ts|20|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "www/apps/resources/app/api/references/[...slug]/route.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /tag."}, "properties": {"repobilityId": 28717, "scanner": "repobility-access-control", "fingerprint": "5051714444d4d2f7497e1ab7e45df79a7c242b29bcc7895f7abfc2e34a3fdba8", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/tag", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|4|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "www/apps/api-reference/app/tag/route.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /base-specs."}, "properties": {"repobilityId": 28716, "scanner": "repobility-access-control", "fingerprint": "26064e739e8e293e59acb0f1faf92497f08e83aef63c5bc332384e683acba037", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/base-specs", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|9|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "www/apps/api-reference/app/base-specs/route.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 28715, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 28682, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c663fba24678feb55e7de42ddcf1f81af36cba115b95f71a2d4fface222beb7c", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "old", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "packages/core/utils/src/dal/mikro-orm/mikro-orm-serializer.ts", "correlation_key": "fp|c663fba24678feb55e7de42ddcf1f81af36cba115b95f71a2d4fface222beb7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/utils/src/dal/mikro-orm/mikro-orm-serializer-old.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 28679, "scanner": "repobility-threat-engine", "fingerprint": "17de473fcc9ed42697fdd819794b922aa3e89bab8de64ff3ff5e81eb9dd7a3e9", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|6|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/oas/medusa-oas-cli/src/utils/yaml-utils.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 28678, "scanner": "repobility-threat-engine", "fingerprint": "df56d3f1a698be5725db2b5213806144ee6f9f2a8c04d2c373ee71c94b5d4283", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|df56d3f1a698be5725db2b5213806144ee6f9f2a8c04d2c373ee71c94b5d4283"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/medusa-cli/scripts/postinstall.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 28731, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 28730, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 28729, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 28728, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 28714, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b507bddc101d67e69ed6554796c64d07e0396a20909fecdfccafd0024971124", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "EntitySerializer", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "packages/core/utils/src/dal/mikro-orm/mikro-orm-serializer.ts", "correlation_key": "fp|0b507bddc101d67e69ed6554796c64d07e0396a20909fecdfccafd0024971124"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/utils/src/dal/mikro-orm/mikro-orm-serializer-old.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28713, "scanner": "repobility-ai-code-hygiene", "fingerprint": "98f207b9fccab6814abdbc0a1b555eeb2c8af7ece9bc15261cb534a82f022819", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/hooks/api/claims.tsx", "duplicate_line": 246, "correlation_key": "fp|98f207b9fccab6814abdbc0a1b555eeb2c8af7ece9bc15261cb534a82f022819"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/hooks/api/exchanges.tsx"}, "region": {"startLine": 165}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28712, "scanner": "repobility-ai-code-hygiene", "fingerprint": "275633ad80931224c32734f1059e90d4ac51e72759900d005af9fc3a6a208303", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/hooks/api/categories.tsx", "duplicate_line": 3, "correlation_key": "fp|275633ad80931224c32734f1059e90d4ac51e72759900d005af9fc3a6a208303"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/hooks/api/collections.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28711, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5fe65270fd404e56cd6759a35bb342836eb8be92bcfe1e59b67dadff5f05e954", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/table/view-selector/view-pills.tsx", "duplicate_line": 50, "correlation_key": "fp|5fe65270fd404e56cd6759a35bb342836eb8be92bcfe1e59b67dadff5f05e954"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/table/view-selector/view-selector.tsx"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28710, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2aa7ea803b063eec8ac2a9ae50337ccfdde60234b5e82dbac861098a961b5a14", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/table/table-cells/common/name-cell/name-cell.tsx", "duplicate_line": 12, "correlation_key": "fp|2aa7ea803b063eec8ac2a9ae50337ccfdde60234b5e82dbac861098a961b5a14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/table/table-cells/sales-channel/name-cell/name-cell.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bf06aae0f79734685304e9e46db8125fad19c4bcbd12c0757e350909f9a6ca0a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/data-table/components/data-table-status-cell/data-table-status-cell.tsx", "duplicate_line": 10, "correlation_key": "fp|bf06aae0f79734685304e9e46db8125fad19c4bcbd12c0757e350909f9a6ca0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/table/table-cells/common/status-cell/status-cell.tsx"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "254395d4d012b1930be47174ea9370bf31198d38df964646a67c0ae07ef3f252", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/table/table-cells/common/created-at-cell/created-at-cell.tsx", "duplicate_line": 9, "correlation_key": "fp|254395d4d012b1930be47174ea9370bf31198d38df964646a67c0ae07ef3f252"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/table/table-cells/common/date-cell/date-cell.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ad43456de0aebf3666b387de329bb7ac01482c133f28db32dc751bfd6b15d4a6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/table/data-table/data-table-filter/string-filter.tsx", "duplicate_line": 24, "correlation_key": "fp|ad43456de0aebf3666b387de329bb7ac01482c133f28db32dc751bfd6b15d4a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/table/data-table/data-table-search/data-table-search.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b79ec12be3c9015336d6d6cea3fe41594508622df49845970746db01c9136375", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/filtering/order-by/order-by.tsx", "duplicate_line": 20, "correlation_key": "fp|b79ec12be3c9015336d6d6cea3fe41594508622df49845970746db01c9136375"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/table/data-table/data-table-order-by/data-table-order-by.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "42a46ae8e40d13b3a4a51eaaf74337ac94020509cecf596351863e3ed9e49266", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/table/data-table/data-table-filter/select-filter.tsx", "duplicate_line": 90, "correlation_key": "fp|42a46ae8e40d13b3a4a51eaaf74337ac94020509cecf596351863e3ed9e49266"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/table/data-table/data-table-filter/string-filter.tsx"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ad0bf52ffb438b8b62b4b8c9310a6fc987e438b802aec55bcccf511465e9559", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/table/data-table/data-table-filter/date-filter.tsx", "duplicate_line": 111, "correlation_key": "fp|4ad0bf52ffb438b8b62b4b8c9310a6fc987e438b802aec55bcccf511465e9559"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/table/data-table/data-table-filter/number-filter.tsx"}, "region": {"startLine": 133}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "beae3c7930f47f83db08a90000b50bd01495b7461c777f1d6f395ea5b9393bc1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/data-grid/components/data-grid-keyboard-shortcut-modal.tsx", "duplicate_line": 187, "correlation_key": "fp|beae3c7930f47f83db08a90000b50bd01495b7461c777f1d6f395ea5b9393bc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/layout/user-menu/user-menu.tsx"}, "region": {"startLine": 220}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27803267ac272c80a81e8c49320ad823272a3b0fb86387b23eba810f4874c294", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/layout/main-layout/main-layout.tsx", "duplicate_line": 60, "correlation_key": "fp|27803267ac272c80a81e8c49320ad823272a3b0fb86387b23eba810f4874c294"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/layout/user-menu/user-menu.tsx"}, "region": {"startLine": 180}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5b3defa18797a1529dc4bddd942be43444ec9cbfb3b8e598296cd573e4daea5d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/layout/main-layout/main-layout.tsx", "duplicate_line": 336, "correlation_key": "fp|5b3defa18797a1529dc4bddd942be43444ec9cbfb3b8e598296cd573e4daea5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/layout/settings-layout/settings-layout.tsx"}, "region": {"startLine": 231}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3cea7f9b9ca7f9fc68c3ac4881fdc3c8f326e13741d9c2cfe24dd92e9f86cc8b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/layout/pages/single-column-page/single-column-page.tsx", "duplicate_line": 15, "correlation_key": "fp|3cea7f9b9ca7f9fc68c3ac4881fdc3c8f326e13741d9c2cfe24dd92e9f86cc8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/layout/pages/two-column-page/two-column-page.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c1386a89c6356ff22d8ad16a526bb6c694c5142e38718766f7b013be0adfe09e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/data-grid/components/data-grid-number-cell.tsx", "duplicate_line": 15, "correlation_key": "fp|c1386a89c6356ff22d8ad16a526bb6c694c5142e38718766f7b013be0adfe09e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/data-grid/components/data-grid-toggleable-number-cell.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c0082dce56f8233d7e6720c868354e2d41e3211d8835ddea80f0d83c683d4bc2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/data-grid/components/data-grid-boolean-cell.tsx", "duplicate_line": 11, "correlation_key": "fp|c0082dce56f8233d7e6720c868354e2d41e3211d8835ddea80f0d83c683d4bc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/data-grid/components/data-grid-text-cell.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28697, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bf9e8a9e9e3fb16a263afbe4aa6500c0af936e97d530cbe5626148566ea3a894", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/data-grid/components/data-grid-multiline-cell.tsx", "duplicate_line": 9, "correlation_key": "fp|bf9e8a9e9e3fb16a263afbe4aa6500c0af936e97d530cbe5626148566ea3a894"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/data-grid/components/data-grid-text-cell.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28696, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aee313758f66afc1c747b9b8b7b5b7e031a43be20ab1b52c4eb6bc1f439f57f4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/data-grid/components/data-grid-boolean-cell.tsx", "duplicate_line": 11, "correlation_key": "fp|aee313758f66afc1c747b9b8b7b5b7e031a43be20ab1b52c4eb6bc1f439f57f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/data-grid/components/data-grid-number-cell.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28695, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f52366d13ca6f840266253f91bc2bd13205069b76961c85daa0d880e7e71d2bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/dashboard/src/components/common/logo-box/avatar-box.tsx", "duplicate_line": 19, "correlation_key": "fp|f52366d13ca6f840266253f91bc2bd13205069b76961c85daa0d880e7e71d2bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/common/logo-box/logo-box.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28694, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e7a69a4c5cb0b75428a2f9c2dec3866c844f75460d5f6271f73d45a053216df5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/admin-vite-plugin/src/routes/generate-menu-items.ts", "duplicate_line": 72, "correlation_key": "fp|e7a69a4c5cb0b75428a2f9c2dec3866c844f75460d5f6271f73d45a053216df5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/admin-vite-plugin/src/routes/generate-routes.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28693, "scanner": "repobility-ai-code-hygiene", "fingerprint": "885dd0ac630a39c65386d43dac8657eb927c8b84cfe8e43e5d158967894f6459", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/admin-vite-plugin/src/custom-fields/generate-custom-field-displays.ts", "duplicate_line": 39, "correlation_key": "fp|885dd0ac630a39c65386d43dac8657eb927c8b84cfe8e43e5d158967894f6459"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/admin-vite-plugin/src/custom-fields/generate-custom-field-links.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28692, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d31b7b8ecdf0d1792d00f4fddb38e07419fb3090c1787d133625c45babf1da2f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/admin-vite-plugin/src/custom-fields/generate-custom-field-forms.ts", "duplicate_line": 66, "correlation_key": "fp|d31b7b8ecdf0d1792d00f4fddb38e07419fb3090c1787d133625c45babf1da2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/admin-vite-plugin/src/custom-fields/generate-custom-field-links.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28691, "scanner": "repobility-ai-code-hygiene", "fingerprint": "17f2bc09ef6d43facf65f4097fca6555840b15e4e040fc2d20e18caeb91170d5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/admin/admin-vite-plugin/src/custom-fields/generate-custom-field-displays.ts", "duplicate_line": 39, "correlation_key": "fp|17f2bc09ef6d43facf65f4097fca6555840b15e4e040fc2d20e18caeb91170d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/admin-vite-plugin/src/custom-fields/generate-custom-field-forms.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28690, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f027cc95cc8e693879d88092facbaf9d57b158bc05db9d6ff9758740b94e82a3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration-tests/http/src/utils/providers/fulfillment-manual-calculated/services/manual-fulfillment.ts", "duplicate_line": 1, "correlation_key": "fp|f027cc95cc8e693879d88092facbaf9d57b158bc05db9d6ff9758740b94e82a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/modules/src/utils/providers/fulfillment-manual-calculated/services/manual-fulfillment.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28689, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ad30a379e3c770e0060051985dee28a4a10648cb45568d924ab1da2a5f444fd2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration-tests/api/medusa-config.js", "duplicate_line": 94, "correlation_key": "fp|ad30a379e3c770e0060051985dee28a4a10648cb45568d924ab1da2a5f444fd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/modules/medusa-config.ts"}, "region": {"startLine": 168}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28688, "scanner": "repobility-ai-code-hygiene", "fingerprint": "707d184c571f0acc43d131d114b5d9b4e63856e4c5ebe09a91b4524f57625ebc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration-tests/http/jest.config.js", "duplicate_line": 6, "correlation_key": "fp|707d184c571f0acc43d131d114b5d9b4e63856e4c5ebe09a91b4524f57625ebc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/modules/jest.config.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28687, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8bca90e0efef2b7f2c3ce36802a67e36b305a48db494721847c3be926b77f9f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration-tests/api/jest.config.js", "duplicate_line": 5, "correlation_key": "fp|8bca90e0efef2b7f2c3ce36802a67e36b305a48db494721847c3be926b77f9f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/modules/jest.config.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28686, "scanner": "repobility-ai-code-hygiene", "fingerprint": "835ced8aa99d2493f53e18b3e6511b12f9ed325d9f89871062a65b86fdd3046b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "define_jest_config.js", "duplicate_line": 3, "correlation_key": "fp|835ced8aa99d2493f53e18b3e6511b12f9ed325d9f89871062a65b86fdd3046b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/jest.config.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28685, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bdfa8d7e3c861f6210c62545f905ae6a32cd4924ded35e39f729b95c071f8892", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration-tests/http/__fixtures__/worker-mode-server/medusa-config.js", "duplicate_line": 27, "correlation_key": "fp|bdfa8d7e3c861f6210c62545f905ae6a32cd4924ded35e39f729b95c071f8892"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/http/medusa-config.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28684, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d967eace473c1de465e07d3a3cf4fee481b404b6f8027754b49d25c59b330bfd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integration-tests/api/jest.config.js", "duplicate_line": 1, "correlation_key": "fp|d967eace473c1de465e07d3a3cf4fee481b404b6f8027754b49d25c59b330bfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/http/jest.config.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 28683, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f84300de288a4831557e2d5b7a6546876d62fe137c2a8c5e5d82a5abe8badbad", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|f84300de288a4831557e2d5b7a6546876d62fe137c2a8c5e5d82a5abe8badbad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/modules/order/src/utils/actions/item-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 28681, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4287c886e7c50ef87ffbc878e750e4f7638e8b4d8fa78bb4bf1f7e6de7f844c", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "copy", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|f4287c886e7c50ef87ffbc878e750e4f7638e8b4d8fa78bb4bf1f7e6de7f844c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/utils/src/common/deep-copy.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 28680, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1d19526469d098a2404f529544c0fcfc6afc2407f174abc1e041c2d9eaf3c5c0", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|1d19526469d098a2404f529544c0fcfc6afc2407f174abc1e041c2d9eaf3c5c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/core-flows/src/customer/steps/utils/unset-address-for-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 28677, "scanner": "repobility-threat-engine", "fingerprint": "821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 28673, "scanner": "repobility-threat-engine", "fingerprint": "7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 28672, "scanner": "repobility-threat-engine", "fingerprint": "83e271dbf2ebecf3fcba67b95b6162e130cbf817903ef6e78e34d630a7d04c7a", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|87|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/common/file-upload/file-upload.tsx"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 28671, "scanner": "repobility-threat-engine", "fingerprint": "92834272964cbb521dcb6311aaf0f683dcd9af931937048e8c148ab23a4b61f4", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|464|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/medusa-cli/src/commands/new.ts"}, "region": {"startLine": 464}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 28670, "scanner": "repobility-threat-engine", "fingerprint": "92a011f662d2e4246c3311a97a09b2153bbed00761a71e6e821bce7a4b01d9df", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|49|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/create-medusa-app/src/utils/facts.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 28676, "scanner": "repobility-threat-engine", "fingerprint": "cc189d594c1399ab155c771ce5f8c73a1b54e621224673b48dbead3e99f7194f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cc189d594c1399ab155c771ce5f8c73a1b54e621224673b48dbead3e99f7194f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/routes/product-tags/product-tag-list/loader.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 28675, "scanner": "repobility-threat-engine", "fingerprint": "2ef4cf9e537f2f13e5bfb5687b768d4b8360da0484fe0476a00714e06d7dfe24", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2ef4cf9e537f2f13e5bfb5687b768d4b8360da0484fe0476a00714e06d7dfe24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/routes/orders/order-detail/components/order-fulfillment-section/order-fulfillment-section.tsx"}, "region": {"startLine": 419}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 28674, "scanner": "repobility-threat-engine", "fingerprint": "2da8e89e46f0b949e3b5c050fa792b50c10f832b3b12407d875d6b329f55f43b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2da8e89e46f0b949e3b5c050fa792b50c10f832b3b12407d875d6b329f55f43b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/admin/dashboard/src/components/common/file-upload/file-upload.tsx"}, "region": {"startLine": 88}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 28721, "scanner": "repobility-journey-contract", "fingerprint": "c6abf670c3934aa851665308843d1e02c176fdddcf71dc61dc07790c0eed4eae", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|194|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/create-medusa-app/src/utils/project-creator/medusa-project-creator.ts"}, "region": {"startLine": 194}}}]}]}]}