{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "AIC007", "name": "Generated build artifact directory is present at repository root", "shortDescription": {"text": "Generated build artifact directory is present at repository root"}, "fullDescription": {"text": "Committed build outputs and caches make scans slower, confuse duplicate-code checks, and give AI agents stale generated code to imitate."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/350"}, "properties": {"repository": "777genius/agent-teams-ai", "repoUrl": "https://github.com/777genius/agent-teams-ai", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 11224, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 11223, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 11218, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 11217, "scanner": "repobility-docker", "fingerprint": "9317b71042e24253540656b06bff9afdfc7c4d953149aa0f898f9afe7785d719", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:20-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9317b71042e24253540656b06bff9afdfc7c4d953149aa0f898f9afe7785d719"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 11215, "scanner": "repobility-threat-engine", "fingerprint": "e5e62d9400eb3519b387e364d8132f23efe64f3a6f48b60c1efb5e2fdb54cefd", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e5e62d9400eb3519b387e364d8132f23efe64f3a6f48b60c1efb5e2fdb54cefd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/components/team/TeamListView.tsx"}, "region": {"startLine": 760}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 11214, "scanner": "repobility-threat-engine", "fingerprint": "d9a92fc0ea8e5cd6999b8c7549395e33b6eb669d56658a272c2d500c12696933", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d9a92fc0ea8e5cd6999b8c7549395e33b6eb669d56658a272c2d500c12696933"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/components/team/TeamDetailView.tsx"}, "region": {"startLine": 2642}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 11209, "scanner": "repobility-agent-runtime", "fingerprint": "3b5795e2b59d6b9665a63e73a54d8bb5b5714f95d3a44772d199d38149348bab", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|3b5795e2b59d6b9665a63e73a54d8bb5b5714f95d3a44772d199d38149348bab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/recent-projects/renderer/utils/recentProjectOpenHistory.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 11208, "scanner": "repobility-agent-runtime", "fingerprint": "5eca9fd969e09c653d28050dab949a270994148b1de3826ae9c6150377db386a", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5eca9fd969e09c653d28050dab949a270994148b1de3826ae9c6150377db386a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/recent-projects/main/adapters/output/sources/CodexSessionFileRecentProjectsSourceAdapter.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 11207, "scanner": "repobility-agent-runtime", "fingerprint": "ef14db2152811756ec0a36fe19280b9585b65f693ccb65c0c24614b97d213d07", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ef14db2152811756ec0a36fe19280b9585b65f693ccb65c0c24614b97d213d07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/member-log-stream/core/domain/policies/memberLogPreviewExtractor.ts"}, "region": {"startLine": 183}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 11206, "scanner": "repobility-agent-runtime", "fingerprint": "357fc25e4574c75d988cdc97290043cc8ba043cce116dcfb2c54e7e010ff94a9", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|357fc25e4574c75d988cdc97290043cc8ba043cce116dcfb2c54e7e010ff94a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/agent-graph/renderer/hooks/useGraphSidebarVisibility.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 11205, "scanner": "repobility-agent-runtime", "fingerprint": "18c25d2c6e2eef4c2b2b3c32ff69e3147d97912c63923a479cb8290073cfd427", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|18c25d2c6e2eef4c2b2b3c32ff69e3147d97912c63923a479cb8290073cfd427"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/research/best-abstraction-for-electron.md"}, "region": {"startLine": 105}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11204, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8bb5eb19767606901e50a44f7190a1cf4663abd8c2925adff7ce68cbd0f8f06d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/features/member-work-sync/main/infrastructure/ClaudeStopHookPayloadNormalizer.ts", "duplicate_line": 1, "correlation_key": "fp|8bb5eb19767606901e50a44f7190a1cf4663abd8c2925adff7ce68cbd0f8f06d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/member-work-sync/main/infrastructure/CodexNativeTurnSettledPayloadNormalizer.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11203, "scanner": "repobility-ai-code-hygiene", "fingerprint": "42a337ee75e606f01acfc0cf11efcfdd221632b827429fb884b5c14c0303a261", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/features/member-work-sync/main/adapters/output/TeamRuntimeTurnSettledTargetResolver.ts", "duplicate_line": 30, "correlation_key": "fp|42a337ee75e606f01acfc0cf11efcfdd221632b827429fb884b5c14c0303a261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/member-work-sync/main/adapters/output/TeamTaskAgendaSource.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11202, "scanner": "repobility-ai-code-hygiene", "fingerprint": "726ccfab415acb5e10fe7717b0d7f628745448b3763416b8bee7607d5aeb7942", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/features/member-log-stream/main/adapters/output/sources/OpenCodeMemberRuntimePreviewSource.ts", "duplicate_line": 142, "correlation_key": "fp|726ccfab415acb5e10fe7717b0d7f628745448b3763416b8bee7607d5aeb7942"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/member-log-stream/main/adapters/output/sources/OpenCodeMemberVisibleActivityReader.ts"}, "region": {"startLine": 171}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11201, "scanner": "repobility-ai-code-hygiene", "fingerprint": "547df24cd4567bd21b8ef06590cccca373e9eb58dd721b4c62ee20c9796344fc", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/features/member-log-stream/main/adapters/output/sources/OpenCodeMemberRuntimePreviewSource.ts", "duplicate_line": 85, "correlation_key": "fp|547df24cd4567bd21b8ef06590cccca373e9eb58dd721b4c62ee20c9796344fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/member-log-stream/main/adapters/output/sources/OpenCodeMemberRuntimeStreamSource.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11200, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da806be93adafca84fe7287dd9a6a9b3cade1a2c202a00c72a202dd901a73f04", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/features/member-log-stream/core/domain/policies/memberLogPreviewMergePolicy.ts", "duplicate_line": 18, "correlation_key": "fp|da806be93adafca84fe7287dd9a6a9b3cade1a2c202a00c72a202dd901a73f04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/member-log-stream/main/adapters/output/sources/OpenCodeMemberRuntimePreviewSource.ts"}, "region": {"startLine": 322}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11199, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da18703983bc0794f16b0b93394b34090bf827160403bfe53e32c12a83d4fcac", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/features/codex-runtime-profile/main/index.ts", "duplicate_line": 1, "correlation_key": "fp|da18703983bc0794f16b0b93394b34090bf827160403bfe53e32c12a83d4fcac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/codex-runtime-profile/renderer/index.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11198, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b937e136b45a6d849897a0e1fe6f699d53c1919a77ebab1475dae511330b8064", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/features/agent-graph/renderer/ui/TeamGraphOverlay.tsx", "duplicate_line": 11, "correlation_key": "fp|b937e136b45a6d849897a0e1fe6f699d53c1919a77ebab1475dae511330b8064"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/agent-graph/renderer/ui/TeamGraphTab.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11197, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6457a66a8b8fac038e6dc4963a4edeb6fed2553cf791311f09c97697e0ec6cd4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/features/agent-graph/renderer/ui/GraphActivityHud.tsx", "duplicate_line": 119, "correlation_key": "fp|6457a66a8b8fac038e6dc4963a4edeb6fed2553cf791311f09c97697e0ec6cd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/features/agent-graph/renderer/ui/GraphMemberLogPreviewHud.tsx"}, "region": {"startLine": 296}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11196, "scanner": "repobility-ai-code-hygiene", "fingerprint": "753531c09d638bf101809661c1bc3eb4bd1cccc7a18940b3af66fb4eeba69bd9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent-teams-controller/src/internal/crossTeam.js", "duplicate_line": 88, "correlation_key": "fp|753531c09d638bf101809661c1bc3eb4bd1cccc7a18940b3af66fb4eeba69bd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent-teams-controller/src/internal/taskStore.js"}, "region": {"startLine": 206}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11195, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be920b5b9e82284c1842e7f0e3b7b2cb78e10fe22cf136e8fc24ed95bb81746d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent-teams-controller/src/internal/messageStore.js", "duplicate_line": 4, "correlation_key": "fp|be920b5b9e82284c1842e7f0e3b7b2cb78e10fe22cf136e8fc24ed95bb81746d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent-teams-controller/src/internal/taskStore.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11194, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e2970d99a5b97f1936c554a01c9ff505e5073acf32d620f9ccd1a1f4a6e1028d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent-teams-controller/src/internal/kanbanStore.js", "duplicate_line": 4, "correlation_key": "fp|e2970d99a5b97f1936c554a01c9ff505e5073acf32d620f9ccd1a1f4a6e1028d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent-teams-controller/src/internal/processStore.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11193, "scanner": "repobility-ai-code-hygiene", "fingerprint": "271c6d6421049615c34bfe395a23690a352bd57eeeb50f9dacd89276255eae3a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent-teams-controller/src/internal/crossTeam.js", "duplicate_line": 88, "correlation_key": "fp|271c6d6421049615c34bfe395a23690a352bd57eeeb50f9dacd89276255eae3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent-teams-controller/src/internal/messageStore.js"}, "region": {"startLine": 46}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 11222, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 11220, "scanner": "repobility-docker", "fingerprint": "85d35d3d30e6397035fef20421715645ff370859631c18805207e6cfc0d330a6", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "agent-teams-ai", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|85d35d3d30e6397035fef20421715645ff370859631c18805207e6cfc0d330a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 11219, "scanner": "repobility-docker", "fingerprint": "a0187aedb2f497eb5b049019e8dcf3b85500554244c784116adbcdc6f762c440", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "agent-teams-ai", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a0187aedb2f497eb5b049019e8dcf3b85500554244c784116adbcdc6f762c440"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC007", "level": "note", "message": {"text": "Generated build artifact directory is present at repository root"}, "properties": {"repobilityId": 11192, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1", "category": "quality", "severity": "low", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a common generated artifact directory.", "evidence": {"rule_id": "AIC007", "scanner": "repobility-ai-code-hygiene", "directory": "build", "references": ["https://git-scm.com/docs/gitignore", "https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 11213, "scanner": "repobility-threat-engine", "fingerprint": "7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 11212, "scanner": "repobility-threat-engine", "fingerprint": "fa91570a36f4acf4b6b45fe67692c858b0d794f672ebb198fbe608c815ddfeca", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'crypto' detected on same line", "evidence": {"match": "Math.random()", "reason": "Safe pattern 'crypto' detected on same line", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|20|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent-teams-controller/src/internal/runtimeHelpers.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 11211, "scanner": "repobility-threat-engine", "fingerprint": "b6e4d01050692f24b220c2d5a2b8e62e7087dcd3514e9c4860beef22db73996b", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|36|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent-graph/src/canvas/background-layer.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 11210, "scanner": "repobility-threat-engine", "fingerprint": "7d6d9697fee82d38183488650fa3aeb108aaf8344530fd0523387415be3f71cf", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|45|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent-graph/src/canvas/draw-effects.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 11221, "scanner": "repobility-journey-contract", "fingerprint": "4c4e72b6b4154b59140caedb8d4dce799fb963b150be3eb8af874aff317309fd", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|466|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/components/settings/sections/ConnectionSection.tsx"}, "region": {"startLine": 466}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 11216, "scanner": "repobility-docker", "fingerprint": "986a767de732e078ac1af17cd964d854e49b6b3c4a860f6e079ee18ef3c69ee1", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|986a767de732e078ac1af17cd964d854e49b6b3c4a860f6e079ee18ef3c69ee1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 23}}}]}]}]}