{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /r"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 9 more): Same pattern found in 9 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 22 more): Same pattern found in 22 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 71 more): Same pattern found in 71 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 71 more): Same pattern found in 71 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 31 more): Same pattern found in 31 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 22 more): Same pattern found in 22 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 61 more): Same pattern found in 61 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 61 more): Same pattern found in 61 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 3 more): Same pattern found in 3 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 4 more): Same pattern found in 4 additional files. Review i", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 24 more): Same pattern found in 24 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 52 more): Same pattern found in 52 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at ", "shortDescription": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compro"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-artifact@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `@mcpjam/sdk` pulled from URL/Git: `dependencies.@mcpjam/sdk` = `file:../../../sdk` bypasses", "shortDescription": {"text": "[MINED122] package.json dep `@mcpjam/sdk` pulled from URL/Git: `dependencies.@mcpjam/sdk` = `file:../../../sdk` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromis"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /api/web/testing/tools/list-no-rpc-logs has no auth: Express route POST /api/web/testing/tools/l", "shortDescription": {"text": "[MINED113] Express POST /api/web/testing/tools/list-no-rpc-logs has no auth: Express route POST /api/web/testing/tools/list-no-rpc-logs declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on"}, "fullDescription": {"text": "Add an auth middleware: app.post('/api/web/testing/tools/list-no-rpc-logs', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC033", "name": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without fil", "shortDescription": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting ever"}, "fullDescription": {"text": "Sanitize keys BEFORE merge:\n  function sanitize(obj) {\n    delete obj.__proto__;\n    delete obj.constructor;\n    delete obj.prototype;\n    return obj;\n  }\nOr use Object.create(null) for the target. Or use Map() for user-key-indexed data. Upgrade lodash >= 4.17.21 for partial mitigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED133", "name": "[MINED133] Hardcoded Slack webhook URL in source: File contains a hardcoded `Slack` webhook URL: `https://hooks.slack.co", "shortDescription": {"text": "[MINED133] Hardcoded Slack webhook URL in source: File contains a hardcoded `Slack` webhook URL: `https://hooks.slack.com/services/T/B/NEW...`. Webhook URLs are unauthenticated POST endpoints \u2014 anyone with the URL can send messages. They ar"}, "fullDescription": {"text": "Move the URL to a secret manager / environment variable. Rotate the webhook immediately if this is a live URL (consider it compromised the moment it landed in git)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED125", "name": "[MINED125] GHA script injection via github.event.pull_request.head.ref in run-step: Multi-line `run: |` block interpolat", "shortDescription": {"text": "[MINED125] GHA script injection via github.event.pull_request.head.ref in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.head.ref }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "fullDescription": {"text": "Capture the field into an env var first; reference $ENV_VAR in shell."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.BACKEND_PREVIEW_DISPATCH_TOKEN` on a `pull_request` trigger: This workflow triggers on", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.BACKEND_PREVIEW_DISPATCH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BACKEND_PREVIEW_DISPATCH_TOKEN }` lets a PR f"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1261"}, "properties": {"repository": "MCPJam/inspector", "repoUrl": "https://github.com/MCPJam/inspector", "branch": "main"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127894, "scanner": "repobility-journey-contract", "fingerprint": "d1fe1e954aaead8e2566e9b3c0641a673c15c88731bb103d2994fec5aad97846", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/evals/generate-tests", "correlation_key": "fp|d1fe1e954aaead8e2566e9b3c0641a673c15c88731bb103d2994fec5aad97846", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/evals/constants.ts"}, "region": {"startLine": 161}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127893, "scanner": "repobility-journey-contract", "fingerprint": "2a9c47da5a9a1335236c6f2ee5054798c938aadea242eba1208803671d0a15a3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/evals/run", "correlation_key": "fp|2a9c47da5a9a1335236c6f2ee5054798c938aadea242eba1208803671d0a15a3", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/evals/constants.ts"}, "region": {"startLine": 160}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127892, "scanner": "repobility-journey-contract", "fingerprint": "98082de85c8b1a1e8fa0f8abc75a2203ce3d78fadbc6ee7c9235992afa9e60e5", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/apps/files/upload-file", "correlation_key": "fp|98082de85c8b1a1e8fa0f8abc75a2203ce3d78fadbc6ee7c9235992afa9e60e5", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/thread/mcp-apps/widget-file-messages.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127891, "scanner": "repobility-journey-contract", "fingerprint": "e36230339ed9870b5c9e11a9383e6876e546e2ea648ed052f483478dc2a3d229", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/apps/files/file", "correlation_key": "fp|e36230339ed9870b5c9e11a9383e6876e546e2ea648ed052f483478dc2a3d229", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/thread/mcp-apps/widget-file-messages.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127890, "scanner": "repobility-journey-contract", "fingerprint": "529747902507116c4f4fbe21a9e53b6daf3574106113f780e4d27a28950d9f80", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/web/apps/files/file", "correlation_key": "fp|529747902507116c4f4fbe21a9e53b6daf3574106113f780e4d27a28950d9f80", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/thread/mcp-apps/widget-file-messages.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127889, "scanner": "repobility-journey-contract", "fingerprint": "d6b161b862a9e693fb78df826307a74484642ed83004a7b3513b28e0639df03f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/resource-templates/list", "correlation_key": "fp|d6b161b862a9e693fb78df826307a74484642ed83004a7b3513b28e0639df03f", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/thread/mcp-apps/mcp-apps-renderer.tsx"}, "region": {"startLine": 2996}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127888, "scanner": "repobility-journey-contract", "fingerprint": "023ef914c1e4c10bd67b57807ad1158295f172a848f1a6ce7c16c4181722d831", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/apps/mcp-apps/widget-content", "correlation_key": "fp|023ef914c1e4c10bd67b57807ad1158295f172a848f1a6ce7c16c4181722d831", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/thread/mcp-apps/fetch-widget-content.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127887, "scanner": "repobility-journey-contract", "fingerprint": "12b089ef0b2b0db1e5e18a7c4543f51163b9172ef45c1994d665ad76697b8106", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/web/apps/mcp-apps/widget-content", "correlation_key": "fp|12b089ef0b2b0db1e5e18a7c4543f51163b9172ef45c1994d665ad76697b8106", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/thread/mcp-apps/fetch-widget-content.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127886, "scanner": "repobility-journey-contract", "fingerprint": "aa32c2e8dc30eb2f61d63134c050a1e1362180c5e33c1e43b0e1c54e816b2230", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/elicitation/respond", "correlation_key": "fp|aa32c2e8dc30eb2f61d63134c050a1e1362180c5e33c1e43b0e1c54e816b2230", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/ChatTabV2.tsx"}, "region": {"startLine": 1641}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127885, "scanner": "repobility-journey-contract", "fingerprint": "3c852a215893d20715d5678eedd8243c8ebd1e7724fbd587d8e50cdffa977d8b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/elicitation/stream", "correlation_key": "fp|3c852a215893d20715d5678eedd8243c8ebd1e7724fbd587d8e50cdffa977d8b", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/ChatTabV2.tsx"}, "region": {"startLine": 1591}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127884, "scanner": "repobility-journey-contract", "fingerprint": "98191e365e2d0a417149cdd3864ea0bee3147c8558c19ccc3acf99646df0928c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/tools/respond", "correlation_key": "fp|98191e365e2d0a417149cdd3864ea0bee3147c8558c19ccc3acf99646df0928c", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/lib/inspector-api.ts"}, "region": {"startLine": 535}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127883, "scanner": "repobility-journey-contract", "fingerprint": "7a9ef81d7441c3f1129b6d225eec14e44c702594fc2722b74bfc7bb4add6f650", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/tools/execute", "correlation_key": "fp|7a9ef81d7441c3f1129b6d225eec14e44c702594fc2722b74bfc7bb4add6f650", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/lib/inspector-api.ts"}, "region": {"startLine": 524}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127882, "scanner": "repobility-journey-contract", "fingerprint": "682a99f3acd8414990ccf28bd8daac641ff9eb0827921c332b5ed642b446ff62", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/tools/list", "correlation_key": "fp|682a99f3acd8414990ccf28bd8daac641ff9eb0827921c332b5ed642b446ff62", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/lib/inspector-api.ts"}, "region": {"startLine": 513}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127881, "scanner": "repobility-journey-contract", "fingerprint": "fad140c717d8844bbb9e8859696b590b9a6c479cf91fca403604233a69654fdc", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/servers", "correlation_key": "fp|fad140c717d8844bbb9e8859696b590b9a6c479cf91fca403604233a69654fdc", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/lib/inspector-api.ts"}, "region": {"startLine": 494}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127880, "scanner": "repobility-journey-contract", "fingerprint": "418d4e54f217cb95e0e373ae5c1abd1b142aadb3a3f8801fb43137e8c05df9ec", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/mcp/connect", "correlation_key": "fp|418d4e54f217cb95e0e373ae5c1abd1b142aadb3a3f8801fb43137e8c05df9ec", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/lib/inspector-api.ts"}, "region": {"startLine": 486}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 127879, "scanner": "repobility-journey-contract", "fingerprint": "468705cfe766c51e5163dfe40cadb6905fa5f6cbd69c61b0d14829739f2402c4", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|3297|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/lib/oauth/mcp-oauth.ts"}, "region": {"startLine": 3297}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 127878, "scanner": "repobility-journey-contract", "fingerprint": "1b2b5e1a74fd3b6fedb84829ddf5212d27702992cd492ef728b0ece3c6d90037", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|2007|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/lib/oauth/mcp-oauth.ts"}, "region": {"startLine": 2007}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 127877, "scanner": "repobility-journey-contract", "fingerprint": "11a69a62e208717a3591b39badb4f14224a83ff69d32d705f080190f58edb1ed", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|64|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/lib/oauth/debug-oauth-provider.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 127876, "scanner": "repobility-journey-contract", "fingerprint": "c27c567ea1df105cbc6825fa8c8af0cf2ab9867e20eb36427c03f2884cde43b5", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|459|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/lib/local-state-migration.ts"}, "region": {"startLine": 459}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 127875, "scanner": "repobility-journey-contract", "fingerprint": "366ed1ec06e5ea963bcb8f74546657ce5f9a651436f7ff4056a005b874db2c97", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|77|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/hooks/use-ai-provider-keys.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /release/dispatch/route."}, "properties": {"repobilityId": 127874, "scanner": "repobility-access-control", "fingerprint": "69caeb788b2fe1c46a53c9cda2eb79bc463eb7b52651b9c29dc60b971857d049", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/release/dispatch/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|88|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "soundcheck/src/app/api/release/dispatch/route.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 127873, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 1, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 127872, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 127869, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 127867, "scanner": "repobility-agent-runtime", "fingerprint": "3c78ed7d850eabd2a0ace24ce43f53a153c3d34cbb85de3ce46e82e7101201d8", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|3c78ed7d850eabd2a0ace24ce43f53a153c3d34cbb85de3ce46e82e7101201d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/chat-input/dialogs/confirm-chat-reset-dialog.tsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 127866, "scanner": "repobility-agent-runtime", "fingerprint": "9c0919cb0def98b2f55aa4b6ab8462de775629849968b4d7d28150aa95eca404", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|9c0919cb0def98b2f55aa4b6ab8462de775629849968b4d7d28150aa95eca404"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/ServersTab.tsx"}, "region": {"startLine": 195}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 127865, "scanner": "repobility-agent-runtime", "fingerprint": "cfa2b5bad083ef2cc981b6a154abf1937a9a0da662f8e7342d4da1b5e7f3bfa9", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|cfa2b5bad083ef2cc981b6a154abf1937a9a0da662f8e7342d4da1b5e7f3bfa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/App.tsx"}, "region": {"startLine": 1740}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 127864, "scanner": "repobility-agent-runtime", "fingerprint": "77cc23c51f71a74430d9c0b035d88ec6445b6c1187de81734a45cf16e6cdeaf2", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|77cc23c51f71a74430d9c0b035d88ec6445b6c1187de81734a45cf16e6cdeaf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp-apps/flashcards-supabase/server-utils.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 127863, "scanner": "repobility-agent-runtime", "fingerprint": "b8de853f91d01469ab4954b1f35dbea352b32ca0bbb1ca1c1a8f8c0fe1abfb84", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b8de853f91d01469ab4954b1f35dbea352b32ca0bbb1ca1c1a8f8c0fe1abfb84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp-apps/express-react-template/server-utils.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 127829, "scanner": "repobility-threat-engine", "fingerprint": "cded5fa4d4abf79ae29c9a2232808b6f21d25052733bbcafc5dcb6b29a91f5dd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "iveTraceTurnId(): string {\n  return `trace_turn_${Date.now()}_${Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cded5fa4d4abf79ae29c9a2232808b6f21d25052733bbcafc5dcb6b29a91f5dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/utils/live-chat-trace-stream.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 127818, "scanner": "repobility-threat-engine", "fingerprint": "634aee242550a43c58beb5432267e83da275887aba5a571698aea98fc8e4a7dc", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = callbackUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|634aee242550a43c58beb5432267e83da275887aba5a571698aea98fc8e4a7dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/hooks/useElectronOAuth.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 127796, "scanner": "repobility-threat-engine", "fingerprint": "e5efc0525921daf3b6322efa11ffae87c48f70aa661c4827253555e59b9778ec", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|16|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/src/oauth/state-machines/shared/challenges.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 127795, "scanner": "repobility-threat-engine", "fingerprint": "4a20c9e47a6edd2ad5c369567b9e713ae7ea780f02ff1f53e5925352b945a506", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|mcp/src/auth.ts|37|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/auth.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 127785, "scanner": "repobility-threat-engine", "fingerprint": "da7cf93b1a41e1fa9487bb279c26ad84c4824e7557107c3a3e1676387ce275e4", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da7cf93b1a41e1fa9487bb279c26ad84c4824e7557107c3a3e1676387ce275e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/ui/github-star-button.tsx"}, "region": {"startLine": 59}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 127784, "scanner": "repobility-threat-engine", "fingerprint": "b9ed7e302a582a4be34e976fbd7a29843d9028dfd7ac31909993e9330773bea7", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b9ed7e302a582a4be34e976fbd7a29843d9028dfd7ac31909993e9330773bea7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/learn-more/LearnMoreHoverCard.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 127783, "scanner": "repobility-threat-engine", "fingerprint": "e4e255215de768c2963ce77a4d47767649108c750705de53f313b60c14712adf", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e4e255215de768c2963ce77a4d47767649108c750705de53f313b60c14712adf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/home/ProductUpdateHoverCard.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 127777, "scanner": "repobility-threat-engine", "fingerprint": "d79aedf0aa55cbf7bc2d503c63f571df04e1719f8f13f013541f07ee745a6538", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(\n      authorizationUrl,\n      uniqueWindowName,\n      `width=${width},height=${height},", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|27|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/oauth/OAuthAuthorizationModal.tsx"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 127776, "scanner": "repobility-threat-engine", "fingerprint": "4bc927bfd49a92d8bf839b03069beeb329105a7ff4d1d6ed9cc2a8411f0a530c", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(action.payload.url, \"_blank\", \"noopener,noreferrer\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|32|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/thread/parts/mcp-ui-resource-part.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 127775, "scanner": "repobility-threat-engine", "fingerprint": "75e3979de31eb6c64b8de03ca5d4c472d531e9d2a22b20e213f666055c693335", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(\"https://www.mcpjam.com\", \"_blank\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|48|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/chatgpt-apps/CoffeeShop/src/CoffeeShopWidget.tsx"}, "region": {"startLine": 48}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 127871, "scanner": "repobility-docker", "fingerprint": "3411bfda76fc561fff747c0b02e7c9ad904cd8c78da12a900c219c2ac5955213", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "inspector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3411bfda76fc561fff747c0b02e7c9ad904cd8c78da12a900c219c2ac5955213"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 127870, "scanner": "repobility-docker", "fingerprint": "859ad9c926e781c58d230422b9ca1bbfd790eec460c4829af76927bb62b85d61", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "inspector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|859ad9c926e781c58d230422b9ca1bbfd790eec460c4829af76927bb62b85d61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127862, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a53b5d972157b6a7fb2951e17ea04b2885aa19f9b779c3e69b201229edfffaa9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/chatboxes/builder/ChatboxCanvas.tsx", "duplicate_line": 38, "correlation_key": "fp|a53b5d972157b6a7fb2951e17ea04b2885aa19f9b779c3e69b201229edfffaa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/connection/shared/HostedConnectionTypeControl.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127861, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a7bb415d8402a0f1fc0c5f125082e03e0558bd91c084b815a754928ba6749e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/connection/shared/CustomHeadersSection.tsx", "duplicate_line": 38, "correlation_key": "fp|2a7bb415d8402a0f1fc0c5f125082e03e0558bd91c084b815a754928ba6749e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/connection/shared/EnvVarsSection.tsx"}, "region": {"startLine": 105}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127860, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a427cabd8a391096dad05466ca2e25001fba206a0b2f39efb7c3a41e469067f9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/chatboxes/ChatboxUsagePanel.tsx", "duplicate_line": 226, "correlation_key": "fp|a427cabd8a391096dad05466ca2e25001fba206a0b2f39efb7c3a41e469067f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/connection/share-usage/ShareUsageDialog.tsx"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127859, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5c0e23438f24e952cb23b79d74e6e19a95176a3b765d058fcc42f0489e2929f3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/connection/AddServerModal.tsx", "duplicate_line": 204, "correlation_key": "fp|5c0e23438f24e952cb23b79d74e6e19a95176a3b765d058fcc42f0489e2929f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/connection/ServerDetailModal.tsx"}, "region": {"startLine": 363}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127858, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b48fe7e57616c7704c388f43d03aebadbc1b52eb59afa28d99393b104f37e60", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/connection/AddServerModal.tsx", "duplicate_line": 262, "correlation_key": "fp|2b48fe7e57616c7704c388f43d03aebadbc1b52eb59afa28d99393b104f37e60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/connection/EditServerFormContent.tsx"}, "region": {"startLine": 101}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127857, "scanner": "repobility-ai-code-hygiene", "fingerprint": "640b7d16a028e12e8c90eae86627a1c5e39762ebec58a844862d9537f15b6ae5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/clients/redesigned/canvas/ClientCapabilityMatrix.tsx", "duplicate_line": 46, "correlation_key": "fp|640b7d16a028e12e8c90eae86627a1c5e39762ebec58a844862d9537f15b6ae5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/clients/redesigned/types.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127856, "scanner": "repobility-ai-code-hygiene", "fingerprint": "814d78b8667d10b91d4d3440f03a9cc61587909b057dadbfc9b9cbdce125ac36", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/clients/redesigned/focus/ClientFocusDialog.tsx", "duplicate_line": 223, "correlation_key": "fp|814d78b8667d10b91d4d3440f03a9cc61587909b057dadbfc9b9cbdce125ac36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/clients/redesigned/focus/ClientFocusPanel.tsx"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127855, "scanner": "repobility-ai-code-hygiene", "fingerprint": "119c8d5c21078b8efdb3ed39a6e3c700e99c8f0e0408fd8f64fea33340c4789f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/clients/attachment-editor.tsx", "duplicate_line": 106, "correlation_key": "fp|119c8d5c21078b8efdb3ed39a6e3c700e99c8f0e0408fd8f64fea33340c4789f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/clients/redesigned/focus/ClientFocusDialog.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127854, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4223461585d0969950d2dbb0d88309e03f53ffedee56b8a9d0d5b32dc21ae267", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/chatboxes/ChatboxPublishClientBar.tsx", "duplicate_line": 84, "correlation_key": "fp|4223461585d0969950d2dbb0d88309e03f53ffedee56b8a9d0d5b32dc21ae267"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/clients/comparison/HostCompareSelector.tsx"}, "region": {"startLine": 189}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127853, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e86c26f1a4b59377e9afd441a2f9ff459b7800cee24111999fcdc6b2e9ad8fb0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/clients/MultiHostPicker.tsx", "duplicate_line": 6, "correlation_key": "fp|e86c26f1a4b59377e9afd441a2f9ff459b7800cee24111999fcdc6b2e9ad8fb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/clients/comparison/HostCompareSelector.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127852, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2fd5500269e15384d7862edfbce08bc509001dc73bcfc911e066cd276b76ebf3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/chat-v2/chat-input/model-selector.tsx", "duplicate_line": 133, "correlation_key": "fp|2fd5500269e15384d7862edfbce08bc509001dc73bcfc911e066cd276b76ebf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/clients/MultiHostPicker.tsx"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127851, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3025c21be3c9d739b7ae9044091b236249c8c606ab8046c675364ff83b7b0e38", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/chatboxes/builder/setup-checklist-panel.tsx", "duplicate_line": 51, "correlation_key": "fp|3025c21be3c9d739b7ae9044091b236249c8c606ab8046c675364ff83b7b0e38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/clients/ClientSetupChecklistPanel.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127850, "scanner": "repobility-ai-code-hygiene", "fingerprint": "23a69038ed097bff94a4e8ee1bac831f2520240614c699d9ba4bdf3170008aee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/chatboxes/builder/ChatboxCanvas.tsx", "duplicate_line": 322, "correlation_key": "fp|23a69038ed097bff94a4e8ee1bac831f2520240614c699d9ba4bdf3170008aee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/clients/ClientCanvas.tsx"}, "region": {"startLine": 97}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127849, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8703ee89984b565499edbebe8b566b2606f6d8a62e455779d0bde16573b0178b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/chat-v2/thread/message-view.tsx", "duplicate_line": 207, "correlation_key": "fp|8703ee89984b565499edbebe8b566b2606f6d8a62e455779d0bde16573b0178b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/thread/transcript-thread.tsx"}, "region": {"startLine": 483}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127848, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88c6a5850a41970d1e5a76687e1275df423fdbec9119c0fb8d43ee73e6e1101c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/chat-v2/chat-input/attachments/file-attachment-card.tsx", "duplicate_line": 26, "correlation_key": "fp|88c6a5850a41970d1e5a76687e1275df423fdbec9119c0fb8d43ee73e6e1101c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/thread/parts/file-part.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127847, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d6b56009955106c29a7ba3eb0fed23ed4d78682c14bd80c22cf032b314be5027", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/chat-v2/thread/message-view.tsx", "duplicate_line": 145, "correlation_key": "fp|d6b56009955106c29a7ba3eb0fed23ed4d78682c14bd80c22cf032b314be5027"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/thread/part-switch.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127846, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0070e2ec7b8050d6fe3a84f77d1e40b51224cf116f534f10d1f0adabbc73b67d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/chat-v2/shared/thinking-indicator.tsx", "duplicate_line": 49, "correlation_key": "fp|0070e2ec7b8050d6fe3a84f77d1e40b51224cf116f534f10d1f0adabbc73b67d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/thread/message-view.tsx"}, "region": {"startLine": 282}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127845, "scanner": "repobility-ai-code-hygiene", "fingerprint": "993da89804e3a6d1d026744011935178f64dd2df28371ce15e411395b705d7d7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/chat-v2/history/convert-chat-session-dialog.tsx", "duplicate_line": 4, "correlation_key": "fp|993da89804e3a6d1d026744011935178f64dd2df28371ce15e411395b705d7d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/shared/save-as-test-case-action.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127844, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f25178b11ce53a2852846362d49b7c7f4395ef834d7c77e5d1aa1529991aff9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/architecture-diagram/ArchAssetNode.tsx", "duplicate_line": 11, "correlation_key": "fp|7f25178b11ce53a2852846362d49b7c7f4395ef834d7c77e5d1aa1529991aff9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/architecture-diagram/ArchBlockNode.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127843, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f061e8aa0e5ed7c11ae30a999c25bb162a4e0b3de4a419c44ea30f2c97b57f55", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/ResourceTemplatesTab.tsx", "duplicate_line": 272, "correlation_key": "fp|f061e8aa0e5ed7c11ae30a999c25bb162a4e0b3de4a419c44ea30f2c97b57f55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/TasksTab.tsx"}, "region": {"startLine": 538}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127842, "scanner": "repobility-ai-code-hygiene", "fingerprint": "735ac6cad46cabe30b2e877439935363b0d63d2f692f9f061f28ceda816ef531", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/PromptsTab.tsx", "duplicate_line": 483, "correlation_key": "fp|735ac6cad46cabe30b2e877439935363b0d63d2f692f9f061f28ceda816ef531"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/TasksTab.tsx"}, "region": {"startLine": 537}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127841, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8291ac7d025b42207fc125209aa1f402f927a7f98b704b9c794b59514633cbc8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/PromptsTab.tsx", "duplicate_line": 277, "correlation_key": "fp|8291ac7d025b42207fc125209aa1f402f927a7f98b704b9c794b59514633cbc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/ResourcesTab.tsx"}, "region": {"startLine": 447}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127840, "scanner": "repobility-ai-code-hygiene", "fingerprint": "21605e98f2c10c78ebbad970d9ef3b38af35357d20410a54dd7326ddccf61493", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/ResourceTemplatesTab.tsx", "duplicate_line": 28, "correlation_key": "fp|21605e98f2c10c78ebbad970d9ef3b38af35357d20410a54dd7326ddccf61493"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/ResourcesTab.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127839, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eed87eaea570ba341fb19e13b9d2cad833c8e1e6e004a606dc8a71d9f8781b21", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/PromptsTab.tsx", "duplicate_line": 482, "correlation_key": "fp|eed87eaea570ba341fb19e13b9d2cad833c8e1e6e004a606dc8a71d9f8781b21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/ResourceTemplatesTab.tsx"}, "region": {"startLine": 270}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127838, "scanner": "repobility-ai-code-hygiene", "fingerprint": "71a05b221d81924116d2fccfbf2accfd9d7663083f853db52e9584b0c20de459", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mcpjam-inspector/client/src/components/CiEvalsTab.tsx", "duplicate_line": 90, "correlation_key": "fp|71a05b221d81924116d2fccfbf2accfd9d7663083f853db52e9584b0c20de459"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/EvalsTab.tsx"}, "region": {"startLine": 138}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127837, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0f442a3cc68d51cdd4a502a656da1273c6337e097ade1c6c07e9503b74d06653", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/src/commands/server.ts", "duplicate_line": 298, "correlation_key": "fp|0f442a3cc68d51cdd4a502a656da1273c6337e097ade1c6c07e9503b74d06653"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/tools.ts"}, "region": {"startLine": 178}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127836, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5bfafb6140998edd6ba10e1610495f355512bce7be6d4752c1332a4aa86a5c08", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/src/commands/prompts.ts", "duplicate_line": 27, "correlation_key": "fp|5bfafb6140998edd6ba10e1610495f355512bce7be6d4752c1332a4aa86a5c08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/tools.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127835, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70e3568270fda72630a2af6da1751cdb111d5a3bcf1c138eb9b4841b3c204c6d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/src/commands/prompts.ts", "duplicate_line": 27, "correlation_key": "fp|70e3568270fda72630a2af6da1751cdb111d5a3bcf1c138eb9b4841b3c204c6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/server.ts"}, "region": {"startLine": 210}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127834, "scanner": "repobility-ai-code-hygiene", "fingerprint": "274df771b4786a1ffc927b922983a8f5f2c7e57d1e6d35a84440c9d55cc39d9a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/src/commands/prompts.ts", "duplicate_line": 26, "correlation_key": "fp|274df771b4786a1ffc927b922983a8f5f2c7e57d1e6d35a84440c9d55cc39d9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/resources.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127833, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1414f3a151d469336b818adb8a9c702c896d420667351ec31701036e18ee2cc6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/src/commands/apps.ts", "duplicate_line": 81, "correlation_key": "fp|1414f3a151d469336b818adb8a9c702c896d420667351ec31701036e18ee2cc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/conformance.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 127832, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a852773389bd2b4ca90ec602f6ac612c7bfbeb68259c04822254542f1d68c76", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "copy", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|6a852773389bd2b4ca90ec602f6ac612c7bfbeb68259c04822254542f1d68c76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/hosted/chatbox-oauth-copy.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 127817, "scanner": "repobility-threat-engine", "fingerprint": "25279d46f98d9db8e7827e07b13e9e272d6dee013ef05ee690112438d61147a1", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML =\n      b", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|63|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/hooks/use-textarea-caret-position.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 127868, "scanner": "repobility-docker", "fingerprint": "5f2a610f6f04698204b64f49923e1340385d889fb0ea54e0ad3e631eea3f15f5", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "node:${NODE_VERSION}-alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5f2a610f6f04698204b64f49923e1340385d889fb0ea54e0ad3e631eea3f15f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 127825, "scanner": "repobility-threat-engine", "fingerprint": "d05622fdc036356bb1d4760dbc713fc3b70379f524ba03589d60f0eae15b4d05", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d05622fdc036356bb1d4760dbc713fc3b70379f524ba03589d60f0eae15b4d05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/routes/web/apps.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 127824, "scanner": "repobility-threat-engine", "fingerprint": "c03c093c0fa0d09ae5bed9ae90907ab83246aa1a36841840ec5c715e72a609ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c03c093c0fa0d09ae5bed9ae90907ab83246aa1a36841840ec5c715e72a609ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/config.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 127823, "scanner": "repobility-threat-engine", "fingerprint": "d29386585e1239c614af03f47754ffb00d73ebadc0b1adfb9b47f79add5e2509", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d29386585e1239c614af03f47754ffb00d73ebadc0b1adfb9b47f79add5e2509"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/app.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 127822, "scanner": "repobility-threat-engine", "fingerprint": "9795a5a7b9dffed6505dffb2a2f776d0682bed2495a5c039e1794b196e3c2849", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9795a5a7b9dffed6505dffb2a2f776d0682bed2495a5c039e1794b196e3c2849"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/sync-docs-tokens.mjs"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 127821, "scanner": "repobility-threat-engine", "fingerprint": "d0593ea9d78ed35c6dad6c2d545124d611dc7c0cdfcf4da7ba609c428199741b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d0593ea9d78ed35c6dad6c2d545124d611dc7c0cdfcf4da7ba609c428199741b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/services/guest-token-verifier.ts"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 127820, "scanner": "repobility-threat-engine", "fingerprint": "74f044f7a4b6b762342f4cbdc01de8f800338362e969aff4a7aa862d451000ec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|74f044f7a4b6b762342f4cbdc01de8f800338362e969aff4a7aa862d451000ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/main.tsx"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 127819, "scanner": "repobility-threat-engine", "fingerprint": "ff5a7ad4878e31792cd043239146ffed328df7b9f70e8deaca887244d443c74b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff5a7ad4878e31792cd043239146ffed328df7b9f70e8deaca887244d443c74b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/hooks/useOrganizations.ts"}, "region": {"startLine": 149}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 127816, "scanner": "repobility-threat-engine", "fingerprint": "019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 127815, "scanner": "repobility-threat-engine", "fingerprint": "375c30dd0420ad3499cbb87f884c2b2c70445de4704414d40daa3ba19d01f7e9", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "Logger.info(scrubTokenFromUrl(message)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|18|logger.info scrubtokenfromurl message"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/app.ts"}, "region": {"startLine": 186}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 127814, "scanner": "repobility-threat-engine", "fingerprint": "1449838986c771ab1818d7c85000d4b8012562820692bb23f1dd2c5231b7a6db", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(\"[Auth] Session token initialized\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|22|console.log auth session token initialized"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/main.tsx"}, "region": {"startLine": 223}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 127813, "scanner": "repobility-threat-engine", "fingerprint": "73afa0fae2d32c84ca59c84d6a70379085967e9ec202224adf892ab6d263ad99", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.warn(\"Failed to save provider tokens to localStorage:\", error)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|console.warn failed to save provider tokens to localstorage: error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/hooks/use-ai-provider-keys.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 127812, "scanner": "repobility-threat-engine", "fingerprint": "aa033cf9f787876df87f9b448e7246cbf082588a268fafa63fbae4034b56c7c5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa033cf9f787876df87f9b448e7246cbf082588a268fafa63fbae4034b56c7c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/ui/chart.tsx"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 127811, "scanner": "repobility-threat-engine", "fingerprint": "1b04039ebff26a824c66a4c37899a25e16f6b5b2c5ac2f985bd4d267034ff33b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1b04039ebff26a824c66a4c37899a25e16f6b5b2c5ac2f985bd4d267034ff33b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/ui-playground/HandDrawnSendHint.tsx"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 127810, "scanner": "repobility-threat-engine", "fingerprint": "8088f25fb183552fd55e002784f1a143c5d25e35d7d5f3aed13447619b902252", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8088f25fb183552fd55e002784f1a143c5d25e35d7d5f3aed13447619b902252"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 127806, "scanner": "repobility-threat-engine", "fingerprint": "cd42195ae1e0779f0f1aa7d5ec03a60372dca0e9131a17421bcd2b02a7181ba8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cd42195ae1e0779f0f1aa7d5ec03a60372dca0e9131a17421bcd2b02a7181ba8", "aggregated_count": 22}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 127805, "scanner": "repobility-threat-engine", "fingerprint": "877a96e66371666b3b738d153ffc6119dc26f9a59680ff0194c7a98194ce1ef1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|877a96e66371666b3b738d153ffc6119dc26f9a59680ff0194c7a98194ce1ef1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/connection/share-usage/ShareUsageThreadDetail.tsx"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 127804, "scanner": "repobility-threat-engine", "fingerprint": "1fadf707899aa3d7506308aefa9db72382d16e00f144c18b6731d588fd2b68bb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1fadf707899aa3d7506308aefa9db72382d16e00f144c18b6731d588fd2b68bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/thread/csp-workbench/BlockedRequestCard.tsx"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 127803, "scanner": "repobility-threat-engine", "fingerprint": "7e6d27665e08d3973d812b580aaefa1c229161df0d16def417a51145733f4dc1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7e6d27665e08d3973d812b580aaefa1c229161df0d16def417a51145733f4dc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/HomeTab.tsx"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 71 more): Same pattern found in 71 additional files. Review if needed."}, "properties": {"repobilityId": 127802, "scanner": "repobility-threat-engine", "fingerprint": "678e813c3301bfda9ccc9fbed31bebd3f45a0e9e9c693b981e449873415f6a7b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 71 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|678e813c3301bfda9ccc9fbed31bebd3f45a0e9e9c693b981e449873415f6a7b", "aggregated_count": 71}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 127801, "scanner": "repobility-threat-engine", "fingerprint": "b837b71485ebb41a1625c117e5e52f5a6bfcf8073dca1253cd3a917dae46b3c5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b837b71485ebb41a1625c117e5e52f5a6bfcf8073dca1253cd3a917dae46b3c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/tools/showServers.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 127800, "scanner": "repobility-threat-engine", "fingerprint": "6ecf551ff7f162fa85881e26a73cbbf1eedd1dfdb81e05f28416553e1d803200", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ecf551ff7f162fa85881e26a73cbbf1eedd1dfdb81e05f28416553e1d803200"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/tools/sessionToolRegistrar.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 127799, "scanner": "repobility-threat-engine", "fingerprint": "536f9e52a4de6ec8c0ef7251b765ae1765ed05e374c7c589ec61a2e6e5af4a73", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|536f9e52a4de6ec8c0ef7251b765ae1765ed05e374c7c589ec61a2e6e5af4a73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/server.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 127794, "scanner": "repobility-threat-engine", "fingerprint": "785a9d8b5575ed128b1c6b814ce12a095307d8a866ec53112aa4851d54a340f5", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|785a9d8b5575ed128b1c6b814ce12a095307d8a866ec53112aa4851d54a340f5", "aggregated_count": 31}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 127793, "scanner": "repobility-threat-engine", "fingerprint": "c2da6b3f38b30609e9dcca2454885d46e36d3e22719e84c2c42d93f914f84a78", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2da6b3f38b30609e9dcca2454885d46e36d3e22719e84c2c42d93f914f84a78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/ElicitationDialog.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 127792, "scanner": "repobility-threat-engine", "fingerprint": "102823c127f5ac1b63c0307f4cf373f8379fe2d22d68e7560d747462385a53c1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|102823c127f5ac1b63c0307f4cf373f8379fe2d22d68e7560d747462385a53c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/server.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 127791, "scanner": "repobility-threat-engine", "fingerprint": "60eb9cdfbd05ca2ecfa9dc4551346f13280c6d598b191a1a059c79c49b460705", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|60eb9cdfbd05ca2ecfa9dc4551346f13280c6d598b191a1a059c79c49b460705"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp-apps/sip-cocktails/convex/cocktails.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 127790, "scanner": "repobility-threat-engine", "fingerprint": "eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "aggregated_count": 8}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 127789, "scanner": "repobility-threat-engine", "fingerprint": "3ec0882bc1bfbaa2296aec2563c398dad170c3d610f11ab097ec92f0c358b48b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3ec0882bc1bfbaa2296aec2563c398dad170c3d610f11ab097ec92f0c358b48b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/auth.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 127788, "scanner": "repobility-threat-engine", "fingerprint": "f387df3afbbf5deb9d25c89e26effe78626f78517d1ae105556c306fb55e4a4e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f387df3afbbf5deb9d25c89e26effe78626f78517d1ae105556c306fb55e4a4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp-apps/sip-cocktails/server-utils.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 127787, "scanner": "repobility-threat-engine", "fingerprint": "19c24edce6dd92030ddf2555acc1e6c1a9fd5e383e377c04b0e79c91e361683f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|19c24edce6dd92030ddf2555acc1e6c1a9fd5e383e377c04b0e79c91e361683f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp-apps/sip-cocktails/convex/auth.config.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 127786, "scanner": "repobility-threat-engine", "fingerprint": "55853ef45b03bf09cbc44c6f24922b8041151d72d31f01248b6f89c0cb3102d5", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|55853ef45b03bf09cbc44c6f24922b8041151d72d31f01248b6f89c0cb3102d5"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 127782, "scanner": "repobility-threat-engine", "fingerprint": "0e4edd7fe9518f7277fed6092142035e57b063cf1d50a9f85d4bb934c5de10f9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0e4edd7fe9518f7277fed6092142035e57b063cf1d50a9f85d4bb934c5de10f9"}}}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 127778, "scanner": "repobility-threat-engine", "fingerprint": "a97c7de41c6b2c7d1727e9699cae690457bf784eba999a96e493342f63dadd13", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a97c7de41c6b2c7d1727e9699cae690457bf784eba999a96e493342f63dadd13"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 61 more): Same pattern found in 61 additional files. Review if needed."}, "properties": {"repobilityId": 127774, "scanner": "repobility-threat-engine", "fingerprint": "9601d4a28dbac7d9bbc29530ed28eb7223e9b47070a3e8fae8b4bb1dda9b8148", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 61 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9601d4a28dbac7d9bbc29530ed28eb7223e9b47070a3e8fae8b4bb1dda9b8148", "aggregated_count": 61}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 127773, "scanner": "repobility-threat-engine", "fingerprint": "608779305843b21a17bad4195722e28294613a5f19e693b769e0aeefe999aacf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|608779305843b21a17bad4195722e28294613a5f19e693b769e0aeefe999aacf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp-apps/express-react-template/server-utils.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 127772, "scanner": "repobility-threat-engine", "fingerprint": "58ecb7f4251e96ca95aeed1d3a03f64dbe45142c9a9c748075dd003e3e3cf221", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|58ecb7f4251e96ca95aeed1d3a03f64dbe45142c9a9c748075dd003e3e3cf221"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/conformance/basic/mock-http-server.mjs"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 127771, "scanner": "repobility-threat-engine", "fingerprint": "d391861be618085845ffd955adc3e092c58d80a95b79359aa73ad620d27b4a27", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d391861be618085845ffd955adc3e092c58d80a95b79359aa73ad620d27b4a27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/chatgpt-apps/CoffeeShop/server.ts"}, "region": {"startLine": 195}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 127770, "scanner": "repobility-threat-engine", "fingerprint": "22f086d0fdc97d81b8738c7e9d19e5d21469b0073a89ebfc090d5326c2797492", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|22f086d0fdc97d81b8738c7e9d19e5d21469b0073a89ebfc090d5326c2797492"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 127769, "scanner": "repobility-threat-engine", "fingerprint": "e97368bd5254b20339f79e3f36db7c277afb3e5b1a2749d97fe3d88a93ad59f0", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|178|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/state/app-types.ts"}, "region": {"startLine": 178}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 127768, "scanner": "repobility-threat-engine", "fingerprint": "1b3b3bb1895c9837b763169d0d8ae1d5432cd4f56d04cebf22a5682d222b7ed9", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|12|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/hooks/use-inspector-command-bus.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 127767, "scanner": "repobility-threat-engine", "fingerprint": "6150d568b3006566d80d16a03c5a11d5eddff753adff977e19ec80becec766ff", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|168|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/chatgpt-apps/CoffeeShop/server.ts"}, "region": {"startLine": 168}}}]}, {"ruleId": "SEC100", "level": "none", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 127766, "scanner": "repobility-threat-engine", "fingerprint": "17f0e7db61805802f09736a843373f88fa4fcf3b36b920717e455dcebc9c1167", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|17f0e7db61805802f09736a843373f88fa4fcf3b36b920717e455dcebc9c1167"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 127762, "scanner": "repobility-threat-engine", "fingerprint": "b46c9ea7374ccad330e72565885a8d870744148a4998d7390eca5cef486b7d94", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b46c9ea7374ccad330e72565885a8d870744148a4998d7390eca5cef486b7d94", "aggregated_count": 24}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 127761, "scanner": "repobility-threat-engine", "fingerprint": "5bbb7ec7c673f7d0e3265261dca758da512101eceae08121f5ba627cc1f163e9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5bbb7ec7c673f7d0e3265261dca758da512101eceae08121f5ba627cc1f163e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/chatgpt-apps/CoffeeShop/src/CoffeeShopWidget.tsx"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 127760, "scanner": "repobility-threat-engine", "fingerprint": "7a2d307f5ac96009990f741e7c92ab24679d9e20a0e122b5a8749da5b07857ce", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a2d307f5ac96009990f741e7c92ab24679d9e20a0e122b5a8749da5b07857ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-system/src/components/slider.tsx"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 127759, "scanner": "repobility-threat-engine", "fingerprint": "a8f6648ad61621594c13b8c1b0afee30b80260cf5017d7b8498cb2e8bdcdc2fc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a8f6648ad61621594c13b8c1b0afee30b80260cf5017d7b8498cb2e8bdcdc2fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design-system/src/components/servers-loading-skeleton.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "properties": {"repobilityId": 127758, "scanner": "repobility-threat-engine", "fingerprint": "0a2f447ae192a44b5350f96541432174b6d8c9cc16a3162beb2a14aa44f7a8dc", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 52 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 52 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0a2f447ae192a44b5350f96541432174b6d8c9cc16a3162beb2a14aa44f7a8dc"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127954, "scanner": "repobility-supply-chain", "fingerprint": "64a8aa50f93199ffd9920915c091abfa41b24c3064b208a32eb349396c59fe85", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|64a8aa50f93199ffd9920915c091abfa41b24c3064b208a32eb349396c59fe85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mac-release.yml"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127953, "scanner": "repobility-supply-chain", "fingerprint": "e1a559aaed7be458be998ef09a4076855648f943a7a619fdbd8c437cbf784d96", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1a559aaed7be458be998ef09a4076855648f943a7a619fdbd8c437cbf784d96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mac-release.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127952, "scanner": "repobility-supply-chain", "fingerprint": "8cad0832c9e21251e6f449631167fb80ac6dc8193ee01f304c69d82a38ffb525", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8cad0832c9e21251e6f449631167fb80ac6dc8193ee01f304c69d82a38ffb525"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mac-release.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127951, "scanner": "repobility-supply-chain", "fingerprint": "3de2a17537c7eb5ee086495f3ebf3d3b735f811d1a3a3644641cfbce4d773f6e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3de2a17537c7eb5ee086495f3ebf3d3b735f811d1a3a3644641cfbce4d773f6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mac-release.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127950, "scanner": "repobility-supply-chain", "fingerprint": "3b226ad3784df6cfc9d69fbf81ee6c1daba7547c6b15a8259ca3cf204163bc25", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b226ad3784df6cfc9d69fbf81ee6c1daba7547c6b15a8259ca3cf204163bc25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-release.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127949, "scanner": "repobility-supply-chain", "fingerprint": "3ced42f0a6b1f223c3fee8724e8c0bfd8b40a3018ea8ddd3b56dfdc01a09cb0f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ced42f0a6b1f223c3fee8724e8c0bfd8b40a3018ea8ddd3b56dfdc01a09cb0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-release.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127948, "scanner": "repobility-supply-chain", "fingerprint": "fd905551466451bace57c1e13b86f1e860292c2036d3a9a52c2746dd70c16358", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd905551466451bace57c1e13b86f1e860292c2036d3a9a52c2746dd70c16358"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-release.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127947, "scanner": "repobility-supply-chain", "fingerprint": "db80a2bedb83dcf6a70da8961e70bff528029136e189279fd76024171ed65ae3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db80a2bedb83dcf6a70da8961e70bff528029136e189279fd76024171ed65ae3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-release.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127946, "scanner": "repobility-supply-chain", "fingerprint": "c70e7742c1aeb2fe4505fe9f0921696efcb4e236c44acbe888f1fa38607ad6ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c70e7742c1aeb2fe4505fe9f0921696efcb4e236c44acbe888f1fa38607ad6ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127945, "scanner": "repobility-supply-chain", "fingerprint": "b8cc7e3554be2e443cb8b51d991ab58a8dbeae861967079ba0023bb5c253b19b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b8cc7e3554be2e443cb8b51d991ab58a8dbeae861967079ba0023bb5c253b19b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127944, "scanner": "repobility-supply-chain", "fingerprint": "4a4f9bb916775a1e642f8214650d04398841fe3dd281dbf5a5f8ef0953a63499", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4a4f9bb916775a1e642f8214650d04398841fe3dd281dbf5a5f8ef0953a63499"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-staging.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127943, "scanner": "repobility-supply-chain", "fingerprint": "604dd92f8ca4b4469f05453807f1a17a4773c84a3759116d2c50aab6b2010f0a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|604dd92f8ca4b4469f05453807f1a17a4773c84a3759116d2c50aab6b2010f0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-staging.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127934, "scanner": "repobility-supply-chain", "fingerprint": "cb54909398e56b84ddccd57421dbab9de680650ae514a9a6396ca27ca02abf9b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb54909398e56b84ddccd57421dbab9de680650ae514a9a6396ca27ca02abf9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 249}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cloudflare/wrangler-action` pinned to mutable ref `@v3`: `uses: cloudflare/wrangler-action@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127933, "scanner": "repobility-supply-chain", "fingerprint": "39042af9cf68151f64c56cf28e6f5c98bd9ac27c1bb7ba6ce3fd7b9b59bded19", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39042af9cf68151f64c56cf28e6f5c98bd9ac27c1bb7ba6ce3fd7b9b59bded19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 241}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127932, "scanner": "repobility-supply-chain", "fingerprint": "01d94b8b912ac8279d07a0bc11608116f92bf4e6d36cac8e8542bc941c21f361", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01d94b8b912ac8279d07a0bc11608116f92bf4e6d36cac8e8542bc941c21f361"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 227}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127931, "scanner": "repobility-supply-chain", "fingerprint": "6ad802c05a6684c48e637e01def91d98b430d7899c9876fe60f6f067dd5b47fd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ad802c05a6684c48e637e01def91d98b430d7899c9876fe60f6f067dd5b47fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127930, "scanner": "repobility-supply-chain", "fingerprint": "6120eda2ac6775b8a4ae23baa891d19e5bc8c51e1f0024b8d76dbba678c618b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6120eda2ac6775b8a4ae23baa891d19e5bc8c51e1f0024b8d76dbba678c618b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cloudflare/wrangler-action` pinned to mutable ref `@v3`: `uses: cloudflare/wrangler-action@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127929, "scanner": "repobility-supply-chain", "fingerprint": "3505f834c6531dbc44e5e663cd8dc61a2da8a54d249415a4c76746df3ddce378", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3505f834c6531dbc44e5e663cd8dc61a2da8a54d249415a4c76746df3ddce378"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127928, "scanner": "repobility-supply-chain", "fingerprint": "f24b2e9cece2e54e4a62a3bf854396ae2c6824870682297c0d7b8188c3618d2a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f24b2e9cece2e54e4a62a3bf854396ae2c6824870682297c0d7b8188c3618d2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127927, "scanner": "repobility-supply-chain", "fingerprint": "942634e2662f791cbd3152c5f8bc22e5c110d75733f1d916892311a6cc59f02b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|942634e2662f791cbd3152c5f8bc22e5c110d75733f1d916892311a6cc59f02b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127926, "scanner": "repobility-supply-chain", "fingerprint": "999c07fea5dd991a87b12d9051546f66ca908f7b699b1f4d49cb5ddd1e45be30", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|999c07fea5dd991a87b12d9051546f66ca908f7b699b1f4d49cb5ddd1e45be30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127925, "scanner": "repobility-supply-chain", "fingerprint": "45b6366e53fd08fa62cebc2921df9200f129e3f546b038d4c931fb734918f2c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45b6366e53fd08fa62cebc2921df9200f129e3f546b038d4c931fb734918f2c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cloudflare/wrangler-action` pinned to mutable ref `@v3`: `uses: cloudflare/wrangler-action@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127924, "scanner": "repobility-supply-chain", "fingerprint": "e7cd64a18ae75a446b7dcd27c68d23cc21bf7d2925895a6def0a280f2681626e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e7cd64a18ae75a446b7dcd27c68d23cc21bf7d2925895a6def0a280f2681626e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-mcp-staging.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127923, "scanner": "repobility-supply-chain", "fingerprint": "e36087ba89856236c0be5db1ac0df01246bb2647f44a4781933f6c37fe237d2e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e36087ba89856236c0be5db1ac0df01246bb2647f44a4781933f6c37fe237d2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-mcp-staging.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127922, "scanner": "repobility-supply-chain", "fingerprint": "f54bd4cb60706985096621b68ea4418817992a3e28801bdb2a7bb709e991466f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f54bd4cb60706985096621b68ea4418817992a3e28801bdb2a7bb709e991466f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-mcp-staging.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@mcpjam/sdk` pulled from URL/Git: `dependencies.@mcpjam/sdk` = `file:../../../sdk` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 127921, "scanner": "repobility-supply-chain", "fingerprint": "4c85f4deed87a3c67416c53912cbf4e93013df37f0d2862cd41e416e532393f0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c85f4deed87a3c67416c53912cbf4e93013df37f0d2862cd41e416e532393f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/evals/brightdata/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@mcpjam/sdk` pulled from URL/Git: `dependencies.@mcpjam/sdk` = `file:../../../sdk` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 127920, "scanner": "repobility-supply-chain", "fingerprint": "5653046ee82c4b9dcb0e58964a7041b976e0a65209f9a97914bb56846d460f08", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5653046ee82c4b9dcb0e58964a7041b976e0a65209f9a97914bb56846d460f08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/evals/asana/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@mcpjam/sdk` pulled from URL/Git: `dependencies.@mcpjam/sdk` = `file:../../../sdk` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 127919, "scanner": "repobility-supply-chain", "fingerprint": "5236fc99f3202b0928cf5e25064722c6bda249f7aae3eff0cb0db701d8a8f403", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5236fc99f3202b0928cf5e25064722c6bda249f7aae3eff0cb0db701d8a8f403"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/conformance/basic/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/web/testing/tools/list-no-rpc-logs has no auth: Express route POST /api/web/testing/tools/list-no-rpc-logs declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127918, "scanner": "repobility-route-auth", "fingerprint": "c7041f97d3ea519b4d0baa6f5ce912cd4a076288a075be0d9b0129415b0c2ef6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|c7041f97d3ea519b4d0baa6f5ce912cd4a076288a075be0d9b0129415b0c2ef6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/routes/web/__tests__/rpc-logs.test.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /proxy has no auth: Express route POST /proxy declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127917, "scanner": "repobility-route-auth", "fingerprint": "31909f1c0757432e4eb59958e2a7fae5f42c88b8683b5bd9e1ccf4352b88b4ec", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|31909f1c0757432e4eb59958e2a7fae5f42c88b8683b5bd9e1ccf4352b88b4ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/routes/web/__tests__/oauth-auth.test.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /:serverId/messages has no auth: Express route POST /:serverId/messages declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127916, "scanner": "repobility-route-auth", "fingerprint": "f1789744326381b7bb00d1b053445e9735dd60b14632c04e9d660e2892099f97", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f1789744326381b7bb00d1b053445e9735dd60b14632c04e9d660e2892099f97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/routes/mcp/http-adapters.ts"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /proxy/token has no auth: Express route POST /proxy/token declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127915, "scanner": "repobility-route-auth", "fingerprint": "2465be0a3430e64d4e264cda31cb11e7a7ecf3f87df5e12c97d5d6fab62ee17d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2465be0a3430e64d4e264cda31cb11e7a7ecf3f87df5e12c97d5d6fab62ee17d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/routes/mcp/xaa.ts"}, "region": {"startLine": 254}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /token-exchange has no auth: Express route POST /token-exchange declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127914, "scanner": "repobility-route-auth", "fingerprint": "f4d588aef87c8bd6de1417179c88a8e1ece63af4e697037297aa3eb33c4cccb3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f4d588aef87c8bd6de1417179c88a8e1ece63af4e697037297aa3eb33c4cccb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/routes/mcp/xaa.ts"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /authenticate has no auth: Express route POST /authenticate declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127913, "scanner": "repobility-route-auth", "fingerprint": "bf68c499eeb823289a41c11322fc6631c4b667616166734ca33ae775164fd013", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|bf68c499eeb823289a41c11322fc6631c4b667616166734ca33ae775164fd013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/routes/mcp/xaa.ts"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/apps/files/upload-file has no auth: Express route POST /api/apps/files/upload-file declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127912, "scanner": "repobility-route-auth", "fingerprint": "53554fbcc558eab9e7dab6f24c3474479854e26e3448eccadb5eab1346df1b1d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|53554fbcc558eab9e7dab6f24c3474479854e26e3448eccadb5eab1346df1b1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/middleware/__tests__/session-auth.test.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/mcp/test has no auth: Express route POST /api/mcp/test declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127911, "scanner": "repobility-route-auth", "fingerprint": "85f830871d8199526c5e928c3ecc48a6ee6796196c48217cb194b513158c038a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|85f830871d8199526c5e928c3ecc48a6ee6796196c48217cb194b513158c038a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/middleware/__tests__/session-auth.test.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/test has no auth: Express route POST /api/test declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127910, "scanner": "repobility-route-auth", "fingerprint": "9b37f81db6021850376c781716f23ce0a8891592cad22e62834f736d3d7194cc", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9b37f81db6021850376c781716f23ce0a8891592cad22e62834f736d3d7194cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/middleware/__tests__/origin-validation.test.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /proxy has no auth: Express route POST /proxy declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127909, "scanner": "repobility-route-auth", "fingerprint": "9454114147c1a298c7fad2bcc92abfea1bd7204458eb2f2d0e54f165396f2804", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9454114147c1a298c7fad2bcc92abfea1bd7204458eb2f2d0e54f165396f2804"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/middleware/__tests__/guest-rate-limit.test.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /submit has no auth: Express route POST /submit declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127908, "scanner": "repobility-route-auth", "fingerprint": "b3c0dc5cdc080fa5189a49595f71dbfb5f9301cad8598ca3b2283afc57f64a99", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b3c0dc5cdc080fa5189a49595f71dbfb5f9301cad8598ca3b2283afc57f64a99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/__tests__/in-app-browser.test.ts"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/mcp/oauth/debug/proxy has no auth: Express route POST /api/mcp/oauth/debug/proxy declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127907, "scanner": "repobility-route-auth", "fingerprint": "e225950ccc065d2b811d28e8febd37905b89a061cd6928cfbbf0bc878ed2360c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e225950ccc065d2b811d28e8febd37905b89a061cd6928cfbbf0bc878ed2360c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/__tests__/auth-integration.test.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/mcp/oauth/proxy has no auth: Express route POST /api/mcp/oauth/proxy declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127906, "scanner": "repobility-route-auth", "fingerprint": "c03020d7596da43c3046942125f8cf02c449b244b304c287a446bc4b629ce605", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|c03020d7596da43c3046942125f8cf02c449b244b304c287a446bc4b629ce605"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/__tests__/auth-integration.test.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/mcp/prompts/get has no auth: Express route POST /api/mcp/prompts/get declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127905, "scanner": "repobility-route-auth", "fingerprint": "79451352247fabfe9a09b806550024cbe2467e09fdf7a52943c8491d5992bb44", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|79451352247fabfe9a09b806550024cbe2467e09fdf7a52943c8491d5992bb44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/__tests__/auth-integration.test.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/mcp/tools/call has no auth: Express route POST /api/mcp/tools/call declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127904, "scanner": "repobility-route-auth", "fingerprint": "74b1b91b18bec82c920a145f4d73f595e590a6fc5c7ab9cc6ce8c4bb30f8e273", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|74b1b91b18bec82c920a145f4d73f595e590a6fc5c7ab9cc6ce8c4bb30f8e273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/__tests__/auth-integration.test.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/mcp/resources/read has no auth: Express route POST /api/mcp/resources/read declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127903, "scanner": "repobility-route-auth", "fingerprint": "4dc7d3caf11b4a10cff0a886ce4fcc96a5b547d6a4b06eed88cf8528d5fda671", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4dc7d3caf11b4a10cff0a886ce4fcc96a5b547d6a4b06eed88cf8528d5fda671"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/__tests__/auth-integration.test.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/mcp/resources/list has no auth: Express route POST /api/mcp/resources/list declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127902, "scanner": "repobility-route-auth", "fingerprint": "5c6ea0ec2584eddd1bc9b292efaf12aa8d7bff9a77d870cd315698b75ac0b4de", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5c6ea0ec2584eddd1bc9b292efaf12aa8d7bff9a77d870cd315698b75ac0b4de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/__tests__/auth-integration.test.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/shutdown has no auth: Express route POST /api/shutdown declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 127901, "scanner": "repobility-route-auth", "fingerprint": "a704e0f563d336dfca4305aa4da117a97bbded8746104a411536768643f3b856", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a704e0f563d336dfca4305aa4da117a97bbded8746104a411536768643f3b856"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/index.ts"}, "region": {"startLine": 400}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 127900, "scanner": "repobility-journey-contract", "fingerprint": "16b316b9a7886836e183a33ce0383e9638c023ef6e2b3d22558914495cbc86b7", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|83|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/setting/OpenRouterConfigDialog.tsx"}, "region": {"startLine": 83}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 127899, "scanner": "repobility-journey-contract", "fingerprint": "7a364b6cd4c7ab25f16a54e1a386d6523c6ebc5dfc7ea37df557d77f1365fdd1", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|184|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/setting/CustomProviderConfigDialog.tsx"}, "region": {"startLine": 184}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 127898, "scanner": "repobility-journey-contract", "fingerprint": "d213141d1448c58c6a47bbece30cbba69bb130bfa4ed340468338d125ef916cd", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|76|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/setting/AzureOpenAIConfigDialog.tsx"}, "region": {"startLine": 76}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 127897, "scanner": "repobility-journey-contract", "fingerprint": "87e5d8846593d343db5a699e112205a73cb6ce2d572959c375c20c0332ee4390", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|1006|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/organization/OrganizationModelsSection.tsx"}, "region": {"startLine": 1006}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 127896, "scanner": "repobility-journey-contract", "fingerprint": "0afe30570a750246355cee2a681ce1bd5a33c3e902f80f313dad93de990c6465", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|759|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/organization/OrganizationModelsSection.tsx"}, "region": {"startLine": 759}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 127895, "scanner": "repobility-journey-contract", "fingerprint": "06d8cea6d6ad488ee6f9ba9517bdebdf0d2a77a8e9a26be0549a5c52f6c92d65", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|101|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/utils/local-server-resolver.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 127831, "scanner": "repobility-threat-engine", "fingerprint": "23d138da43f09daca556a0c9393f9eab6c09a204e1d848f322f3131c508ad505", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|23d138da43f09daca556a0c9393f9eab6c09a204e1d848f322f3131c508ad505"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/src/predicates/types.ts"}, "region": {"startLine": 148}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 127830, "scanner": "repobility-threat-engine", "fingerprint": "28879a70d5b66d3604e1ddf8f9ab96e31a189fe75c24fa990b02384c5d5bbb82", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n    String", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|28879a70d5b66d3604e1ddf8f9ab96e31a189fe75c24fa990b02384c5d5bbb82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/sync-docs-tokens.mjs"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC033", "level": "error", "message": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting every object in the process. CWE-1321. Real-world: CVE-2019-10744 (lodash), CVE-2021-23337 (lodash.set), CVE-2023-26136 (tough-cookie)."}, "properties": {"repobilityId": 127828, "scanner": "repobility-threat-engine", "fingerprint": "ac9ba1d00c4694f9222b3a4ec2a23d8af4c015823995b3eee5efced72478211a", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "[body.serverId] =", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC033", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ac9ba1d00c4694f9222b3a4ec2a23d8af4c015823995b3eee5efced72478211a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/routes/web/hosted-rpc-logs.ts"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 127827, "scanner": "repobility-threat-engine", "fingerprint": "4b5ab4ddc06d67d683c403012dea7110e8109831ecc31701bc3873fa03bfbe6c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post(\"/authenticate\", async (c) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4b5ab4ddc06d67d683c403012dea7110e8109831ecc31701bc3873fa03bfbe6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/routes/mcp/xaa.ts"}, "region": {"startLine": 171}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 127826, "scanner": "repobility-threat-engine", "fingerprint": "dd55b8c0ee6d49a4d39badf8235009a2f191d3575c00de3c77b8570e546eefaf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post(\"/:serverId/messages\", async (c) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dd55b8c0ee6d49a4d39badf8235009a2f191d3575c00de3c77b8570e546eefaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/server/routes/mcp/http-adapters.ts"}, "region": {"startLine": 165}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 127809, "scanner": "repobility-threat-engine", "fingerprint": "8d3cd8dfa45561acde0c3681f7c02e36d3651e097d8258786dd35a812921832c", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((s) => `- ${s}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8d3cd8dfa45561acde0c3681f7c02e36d3651e097d8258786dd35a812921832c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/evals/ai-triage-helpers.ts"}, "region": {"startLine": 244}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 127808, "scanner": "repobility-threat-engine", "fingerprint": "21c95a0db1d2ac77cbc0e56ef0861c091804fdd757d84134ccc6e92919a94b23", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((d) => `${d.label}: ${d.domains.join(\" \")}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|21c95a0db1d2ac77cbc0e56ef0861c091804fdd757d84134ccc6e92919a94b23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/clients/redesigned/canvas/sandbox-config-grid.tsx"}, "region": {"startLine": 267}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 127807, "scanner": "repobility-threat-engine", "fingerprint": "ef2036e89e8542bbe0eeea97c7821320134441fdf5a87a3c9c66f99fc1d61623", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((node) => `${node.id}:${node.position.x}:${node.position.y}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef2036e89e8542bbe0eeea97c7821320134441fdf5a87a3c9c66f99fc1d61623"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chatboxes/builder/chatbox-canvas-viewport.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 127798, "scanner": "repobility-threat-engine", "fingerprint": "936a50932bffa93ef00c32a8bdba37f97e56633ba07b46d4aa6b2c76dd0f2bc9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(match", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|936a50932bffa93ef00c32a8bdba37f97e56633ba07b46d4aa6b2c76dd0f2bc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/src/oauth/state-machines/shared/challenges.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 127797, "scanner": "repobility-threat-engine", "fingerprint": "69a1482ebcb1c83d98aa9109be983f0773f92250f892507117b066c93bdfce3d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(header", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|69a1482ebcb1c83d98aa9109be983f0773f92250f892507117b066c93bdfce3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/auth.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 127781, "scanner": "repobility-threat-engine", "fingerprint": "843f1332452fbc14a5fed61e77ec904fd5d3ec5c5e01db4f2efe29cc72d8d39f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(path);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|843f1332452fbc14a5fed61e77ec904fd5d3ec5c5e01db4f2efe29cc72d8d39f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/chat-v2/chat-input/skills/skill-file-tree-selectable.tsx"}, "region": {"startLine": 220}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 127780, "scanner": "repobility-threat-engine", "fingerprint": "9cfcbd1aca366360d75e7a160c8cc34ef1b3762661c6a7e2ef8e5ad9f3c9bd93", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "searchParams.delete(\"topup\");", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9cfcbd1aca366360d75e7a160c8cc34ef1b3762661c6a7e2ef8e5ad9f3c9bd93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/billing/CreditBalanceCard.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 127779, "scanner": "repobility-threat-engine", "fingerprint": "15af5a68cbb848349ae2a4f6417b175b43c2d020b2b2fc34db9af899f12f34a4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "sessions.delete(transport.sessionId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|15af5a68cbb848349ae2a4f6417b175b43c2d020b2b2fc34db9af899f12f34a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/conformance/basic/mock-http-server.mjs"}, "region": {"startLine": 201}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 127765, "scanner": "repobility-threat-engine", "fingerprint": "6aea20dac1cd2a0073d00c1cb1b0bb0f77411491157735e3dd4de7500445a165", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"access-control-allow-origin\": \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6aea20dac1cd2a0073d00c1cb1b0bb0f77411491157735e3dd4de7500445a165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/auth.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 127764, "scanner": "repobility-threat-engine", "fingerprint": "7f53ccccb914384866c80c4aaf6ee28e09c1a16ba12dc6c89b85b83b052ab021", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\", \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7f53ccccb914384866c80c4aaf6ee28e09c1a16ba12dc6c89b85b83b052ab021"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/conformance/basic/mock-http-server.mjs"}, "region": {"startLine": 160}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 127763, "scanner": "repobility-threat-engine", "fingerprint": "f94906b7c45066582a926f9e3a2eb61fa66d84fe4171e3af9c47114ca9c3ffaa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\", \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f94906b7c45066582a926f9e3a2eb61fa66d84fe4171e3af9c47114ca9c3ffaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/chatgpt-apps/CoffeeShop/server.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 127757, "scanner": "repobility-threat-engine", "fingerprint": "625096f10a17648c36733ddbf1d486e1a0f57b1800143e889b932b5cdbb26165", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|625096f10a17648c36733ddbf1d486e1a0f57b1800143e889b932b5cdbb26165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/index.ts"}, "region": {"startLine": 154}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 127756, "scanner": "repobility-threat-engine", "fingerprint": "084b89b5477fca91094ea0cee180156829c1238e8eecc7186e77834ee7bc8071", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|084b89b5477fca91094ea0cee180156829c1238e8eecc7186e77834ee7bc8071"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/inspector.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 127755, "scanner": "repobility-threat-engine", "fingerprint": "1b64df113d5b50fcc0d8fcf0ae1e281001b56defae67544e33e5ec82b393f95c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1b64df113d5b50fcc0d8fcf0ae1e281001b56defae67544e33e5ec82b393f95c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/conformance.ts"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED133", "level": "error", "message": {"text": "[MINED133] Hardcoded Slack webhook URL in source: File contains a hardcoded `Slack` webhook URL: `https://hooks.slack.com/services/T/B/NEW...`. Webhook URLs are unauthenticated POST endpoints \u2014 anyone with the URL can send messages. They are also a common data-exfiltration channel for compromised packages (malicious post-install collects env vars + POSTs them)."}, "properties": {"repobilityId": 127974, "scanner": "repobility-supply-chain", "fingerprint": "cb9a2c586d8dbbea8ed982efafdb382fdf8c31bac644bc0d85a99a5596c65641", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "exfil-webhook-url", "owasp": null, "cwe_ids": ["CWE-200", "CWE-540"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb9a2c586d8dbbea8ed982efafdb382fdf8c31bac644bc0d85a99a5596c65641"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/setting/__tests__/ProjectSlackIntegrationSection.test.tsx"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED133", "level": "error", "message": {"text": "[MINED133] Hardcoded Slack webhook URL in source: File contains a hardcoded `Slack` webhook URL: `https://hooks.slack.com/services/T/B/C...`. Webhook URLs are unauthenticated POST endpoints \u2014 anyone with the URL can send messages. They are also a common data-exfiltration channel for compromised packages (malicious post-install collects env vars + POSTs them)."}, "properties": {"repobilityId": 127973, "scanner": "repobility-supply-chain", "fingerprint": "713a452e809bc694be137cb6f41abb8b36ccd404013dc9a3cf75acefbd14ae0e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "exfil-webhook-url", "owasp": null, "cwe_ids": ["CWE-200", "CWE-540"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|713a452e809bc694be137cb6f41abb8b36ccd404013dc9a3cf75acefbd14ae0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcpjam-inspector/client/src/components/setting/__tests__/ProjectSlackIntegrationSection.test.tsx"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.head.ref in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.head.ref }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 127972, "scanner": "repobility-supply-chain", "fingerprint": "61637ee5198e7813f3bcbde57fd9ba274ef9d2fc8491d8bc6631443b9c798380", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|61637ee5198e7813f3bcbde57fd9ba274ef9d2fc8491d8bc6631443b9c798380"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BACKEND_PREVIEW_DISPATCH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BACKEND_PREVIEW_DISPATCH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127971, "scanner": "repobility-supply-chain", "fingerprint": "3dbead05339b8121f3ea0deddfe7511062695b926048cf74ee8858df4430c17c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3dbead05339b8121f3ea0deddfe7511062695b926048cf74ee8858df4430c17c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 726}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.STAGING_WORKOS_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.STAGING_WORKOS_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127970, "scanner": "repobility-supply-chain", "fingerprint": "8c457bd68d946f1a6f9ac3abc8af7f7043c9401fe48b942d5604889e3a98578c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c457bd68d946f1a6f9ac3abc8af7f7043c9401fe48b942d5604889e3a98578c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 693}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.RAILWAY_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RAILWAY_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127969, "scanner": "repobility-supply-chain", "fingerprint": "387fe8ab341f3fe087988f211aaba11320497f5f99f718301be1a7b07db48e3b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|387fe8ab341f3fe087988f211aaba11320497f5f99f718301be1a7b07db48e3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 608}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.RAILWAY_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RAILWAY_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127968, "scanner": "repobility-supply-chain", "fingerprint": "a88a4d0db447d31bc1a89e00bb02d74a868e68c21fad8cb2488627b690928fec", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a88a4d0db447d31bc1a89e00bb02d74a868e68c21fad8cb2488627b690928fec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 576}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BACKEND_PREVIEW_DISPATCH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BACKEND_PREVIEW_DISPATCH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127967, "scanner": "repobility-supply-chain", "fingerprint": "b49f57d6feb5e48e91381d84960f08c309127a3c31547ead8122f5babbab627f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b49f57d6feb5e48e91381d84960f08c309127a3c31547ead8122f5babbab627f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 556}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.RAILWAY_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RAILWAY_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127966, "scanner": "repobility-supply-chain", "fingerprint": "bfc974079af8385f1b5ea7425655c715313b229f8b5d4daff1510fdfaa72fed3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bfc974079af8385f1b5ea7425655c715313b229f8b5d4daff1510fdfaa72fed3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 538}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BACKEND_PREVIEW_DISPATCH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BACKEND_PREVIEW_DISPATCH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127965, "scanner": "repobility-supply-chain", "fingerprint": "e6798fa2e249bf594dd98f99bdf043e839ace209c6a11bed24fbd958076a8a7f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6798fa2e249bf594dd98f99bdf043e839ace209c6a11bed24fbd958076a8a7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 468}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BACKEND_PREVIEW_DISPATCH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BACKEND_PREVIEW_DISPATCH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127964, "scanner": "repobility-supply-chain", "fingerprint": "3270b6885a45c9faa7360eac0e10766e26d19900605113ec20eada659fa70bde", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3270b6885a45c9faa7360eac0e10766e26d19900605113ec20eada659fa70bde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 430}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.STAGING_WORKOS_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.STAGING_WORKOS_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127963, "scanner": "repobility-supply-chain", "fingerprint": "fa27e09422720491f61784373929ee319513618281a86649afcc63dcd13d28fa", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa27e09422720491f61784373929ee319513618281a86649afcc63dcd13d28fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 414}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.RAILWAY_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RAILWAY_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127962, "scanner": "repobility-supply-chain", "fingerprint": "7d09d60db58d22f3f4745762f4973cc8651dd2a9f3289d994122fed28e7e9736", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d09d60db58d22f3f4745762f4973cc8651dd2a9f3289d994122fed28e7e9736"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 321}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BACKEND_PREVIEW_DISPATCH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BACKEND_PREVIEW_DISPATCH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127961, "scanner": "repobility-supply-chain", "fingerprint": "2fb731dd06e4718e8fa8baefb8cd97ab7b156b0063075d2f6f441401cab70596", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2fb731dd06e4718e8fa8baefb8cd97ab7b156b0063075d2f6f441401cab70596"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 219}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.STAGING_WORKOS_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.STAGING_WORKOS_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127960, "scanner": "repobility-supply-chain", "fingerprint": "0fa53934341e587f68970fb8caea44702e0dd5f3cb44ac009b81c41bda08c3d4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0fa53934341e587f68970fb8caea44702e0dd5f3cb44ac009b81c41bda08c3d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BACKEND_PREVIEW_DISPATCH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BACKEND_PREVIEW_DISPATCH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127959, "scanner": "repobility-supply-chain", "fingerprint": "4d0416ab164de501b93d124b4c289841eb61c00eb0758c44f9d86a823e6d72f9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d0416ab164de501b93d124b4c289841eb61c00eb0758c44f9d86a823e6d72f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.RAILWAY_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RAILWAY_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127958, "scanner": "repobility-supply-chain", "fingerprint": "6519188cd5d6698940c5f78382bfa0e53ff9b3ae09378cee4310f430e0d80584", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6519188cd5d6698940c5f78382bfa0e53ff9b3ae09378cee4310f430e0d80584"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-preview.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MINTLIFY_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MINTLIFY_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127957, "scanner": "repobility-supply-chain", "fingerprint": "4596011b7f89b4fd906dd7f6789105e36b2f51bf28e07acfcdb046e54f45f099", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4596011b7f89b4fd906dd7f6789105e36b2f51bf28e07acfcdb046e54f45f099"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-docs.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MINTLIFY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MINTLIFY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127956, "scanner": "repobility-supply-chain", "fingerprint": "3a7acf2a4d54a05429a648937a0710166f5e902cf22bd4b91896f31971303382", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3a7acf2a4d54a05429a648937a0710166f5e902cf22bd4b91896f31971303382"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-docs.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127955, "scanner": "repobility-supply-chain", "fingerprint": "657aa44bbc8c719ee6eafa22623603d3f86ec58a1909ab3784f6b28be6c48e66", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|657aa44bbc8c719ee6eafa22623603d3f86ec58a1909ab3784f6b28be6c48e66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mintlify-triage.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127942, "scanner": "repobility-supply-chain", "fingerprint": "c2a27b1a091f0186b1a5552d35cea837906004b85e8302b04f534e4032456ded", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c2a27b1a091f0186b1a5552d35cea837906004b85e8302b04f534e4032456ded"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 244}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127941, "scanner": "repobility-supply-chain", "fingerprint": "16e9287e970d755c7eb79f11b1843d07c4af1f2ca57ed8b234f57cfdd420a8df", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16e9287e970d755c7eb79f11b1843d07c4af1f2ca57ed8b234f57cfdd420a8df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 243}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127940, "scanner": "repobility-supply-chain", "fingerprint": "b586dae3fd901987cab1f11392990beb2738f243245d24d4eb56ae97b2762e51", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b586dae3fd901987cab1f11392990beb2738f243245d24d4eb56ae97b2762e51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127939, "scanner": "repobility-supply-chain", "fingerprint": "0935d01236f8cb919153e98be57a9bbc5a85cbddc4125f6637676aefbbf722a5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0935d01236f8cb919153e98be57a9bbc5a85cbddc4125f6637676aefbbf722a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127938, "scanner": "repobility-supply-chain", "fingerprint": "0457379aa38cd5fee0f4f28ee9d5b33a79a5edf6c195ce15edcc4201a5fedff7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0457379aa38cd5fee0f4f28ee9d5b33a79a5edf6c195ce15edcc4201a5fedff7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127937, "scanner": "repobility-supply-chain", "fingerprint": "d32a0f9b7cbbe963166ee810abc2ce4e2417a203b02f577e81a10f6090128f0b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d32a0f9b7cbbe963166ee810abc2ce4e2417a203b02f577e81a10f6090128f0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127936, "scanner": "repobility-supply-chain", "fingerprint": "eb93ecdea5999e5cafc97c0f2709007cb509c2756ce22a717b499b0f2396f5f1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb93ecdea5999e5cafc97c0f2709007cb509c2756ce22a717b499b0f2396f5f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127935, "scanner": "repobility-supply-chain", "fingerprint": "ea71d7212588f342326b97b32e163b3ec3805bdb2535ef90e5ef985059cd9bc6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea71d7212588f342326b97b32e163b3ec3805bdb2535ef90e5ef985059cd9bc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-mcp-preview.yml"}, "region": {"startLine": 69}}}]}]}]}