{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC125", "name": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeh", "shortDescription": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim "}, "fullDescription": {"text": "Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded dir", "shortDescription": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 26 more): Same pattern found in 26 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 10 more): Same pattern found in 10 additional files", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 78 more): Same pattern found in 78 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 78 more): Same pattern found in 78 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 21 more): Same pattern found in 21 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 114 more): Same pattern found in 114 a", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 114 more): Same pattern found in 114 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 85 more): Same pattern found in 85 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 85 more): Same pattern found in 85 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 25 more): Same pattern found in 25 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `mitmproxy/mitmproxy:11.0.2` not pinned by digest: `FROM mitmproxy/mitmproxy:11.0.2` resolves", "shortDescription": {"text": "[MINED118] Dockerfile FROM `mitmproxy/mitmproxy:11.0.2` not pinned by digest: `FROM mitmproxy/mitmproxy:11.0.2` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially diffe"}, "fullDescription": {"text": "Replace with: `FROM mitmproxy/mitmproxy:11.0.2@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `@vellumai/local-mode` pulled from URL/Git: `dependencies.@vellumai/local-mode` = `file:../.", "shortDescription": {"text": "[MINED122] package.json dep `@vellumai/local-mode` pulled from URL/Git: `dependencies.@vellumai/local-mode` = `file:../../packages/local-mode` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If t"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.assertIsNone` used but never assigned in __init__: Method `test_unrelated_line_returns_none` of class `", "shortDescription": {"text": "[MINED108] `self.assertIsNone` used but never assigned in __init__: Method `test_unrelated_line_returns_none` of class `ParseEventLineTests` reads `self.assertIsNone`, but no assignment to it exists in __init__ (and no class-level fallback)"}, "fullDescription": {"text": "Initialize `self.assertIsNone = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC111", "name": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Cal", "shortDescription": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "fullDescription": {"text": "Use `django.utils.html.format_html(\"<p>{}</p>\", user_input)` \u2014 Django will escape the placeholder. Or escape explicitly with `django.utils.html.escape()`. Only use `mark_safe` on string literals."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.VELLUM_AUTOMATION_GITHUB_PRIVATE_KEY` on a `pull_request` trigger: This workflow trigg", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.VELLUM_AUTOMATION_GITHUB_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VELLUM_AUTOMATION_GITHUB_PRIVATE_KEY }`"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1199"}, "properties": {"repository": "vellum-ai/vellum-assistant", "repoUrl": "https://github.com/vellum-ai/vellum-assistant", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 120707, "scanner": "repobility-ast-engine", "fingerprint": "9ebe8dfdf44a0e540f424a6b91b405fad071dc0e032ffb40472e44f93d7d0d04", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ebe8dfdf44a0e540f424a6b91b405fad071dc0e032ffb40472e44f93d7d0d04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/recording/usage_parser.py"}, "region": {"startLine": 124}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 120680, "scanner": "repobility-journey-contract", "fingerprint": "896bd55ab0e3edd928d0343759793e7046614e8ab0488eecc14f452f5f7329c1", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|90|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/lib/auth/gateway-session.ts"}, "region": {"startLine": 90}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 120679, "scanner": "repobility-journey-contract", "fingerprint": "44c55df798555a2dcc7894f819c8ded6844553333132a538d85d81925f6f8eba", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|89|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/lib/auth/gateway-session.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 120678, "scanner": "repobility-journey-contract", "fingerprint": "a067c7973024a779878bfc8ccad9791b5ef00f1bb2c315048ba510ab22ca9dee", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|75|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/lib/auth/gateway-session.ts"}, "region": {"startLine": 75}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 120677, "scanner": "repobility-journey-contract", "fingerprint": "57ec37193136e95e815cbc96781c4c1c1450a2a1793b56a09f9cc2d3d7517796", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|73|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/lib/auth/gateway-session.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 120676, "scanner": "repobility-journey-contract", "fingerprint": "8d3c3a2f1d778a6cafa747dffb83bbdec0c0cf6c7ade4fbb6c87dc000cf0752a", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|40|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/lib/auth/gateway-session.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 120675, "scanner": "repobility-journey-contract", "fingerprint": "965fb9ff73a564b50a426b71519f124d9a934d101b60ca49c3d8f3b340464685", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|39|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/lib/auth/gateway-session.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 120674, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 120673, "scanner": "repobility-docker", "fingerprint": "bb7bef83edddafccaec3e18a9ba000fc546e933bf3d8dafea0bea8497dce1ea7", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "oven/bun:1.3.11@sha256:0733e50325078969732ebe3b15ce4c4be5082f18c4ac1a0f0ca4839c2e4e42a7", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bb7bef83edddafccaec3e18a9ba000fc546e933bf3d8dafea0bea8497dce1ea7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/meet-join/bot/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 120670, "scanner": "repobility-docker", "fingerprint": "b1a383f5a494665c0e39069d608b8f4d98321e18022cd4a4e086faf1bdcceec7", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b1a383f5a494665c0e39069d608b8f4d98321e18022cd4a4e086faf1bdcceec7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 120661, "scanner": "repobility-agent-runtime", "fingerprint": "ff0f79335e6722b48623247e795c194d9cced72f5f208c8c3ce7676577a79bce", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|ff0f79335e6722b48623247e795c194d9cced72f5f208c8c3ce7676577a79bce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/account/pages/oauth-popup-complete-page.tsx"}, "region": {"startLine": 247}}}]}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 120625, "scanner": "repobility-threat-engine", "fingerprint": "39e111a713ce4871fa108f03af2f32adcf1824ea7c1745c14af1881d32974af5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"your-api-key-here\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|39e111a713ce4871fa108f03af2f32adcf1824ea7c1745c14af1881d32974af5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/security/secret-scanner.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 120624, "scanner": "repobility-threat-engine", "fingerprint": "0389ee2731b4c45f73ca0160dca8e55d37115f7e39de6310c7c1f7d778555a72", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"your-api-key-here\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0389ee2731b4c45f73ca0160dca8e55d37115f7e39de6310c7c1f7d778555a72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/security/secret-ingress.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 120611, "scanner": "repobility-threat-engine", "fingerprint": "a550c1bd8bc55a72ae156197e1b52b2aafc6ed30d988c80818ff3faec108ffdb", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|25|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/cli/utils/parse-duration.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 120598, "scanner": "repobility-threat-engine", "fingerprint": "c84c722a62b15459d4e7f361e5a30da6acd1970fe671d91b4dcadecffa0db3bb", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c84c722a62b15459d4e7f361e5a30da6acd1970fe671d91b4dcadecffa0db3bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/voice/live-voice/pcm-capture.ts"}, "region": {"startLine": 245}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 120597, "scanner": "repobility-threat-engine", "fingerprint": "e512590acb2b6da1fda5b46268034c7c2cc6415111d3b3b94045263f99ddbd47", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e512590acb2b6da1fda5b46268034c7c2cc6415111d3b3b94045263f99ddbd47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/streaming/sse-event-consumer.ts"}, "region": {"startLine": 154}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 120596, "scanner": "repobility-threat-engine", "fingerprint": "90a711429990ac85e7085a1daf2de1496e5e44d8523587c89942e94d3ca1ff5c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|90a711429990ac85e7085a1daf2de1496e5e44d8523587c89942e94d3ca1ff5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/surfaces/table-surface.tsx"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 120595, "scanner": "repobility-threat-engine", "fingerprint": "4ce2c74615325f292edc07adae60f9a9fc1636185141c79800ae37a29955c5ce", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Lorem ipsum dolor sit amet", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4ce2c74615325f292edc07adae60f9a9fc1636185141c79800ae37a29955c5ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/runtime/routes/playground/seed-conversation.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 120594, "scanner": "repobility-threat-engine", "fingerprint": "8c1e23ab95299ff5e35e2e3cce7d6baa6b27d189fae22f5f603115d0562cb2f9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"user@example.com\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8c1e23ab95299ff5e35e2e3cce7d6baa6b27d189fae22f5f603115d0562cb2f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/surfaces/choice-copy-surfaces.stories.tsx"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 120593, "scanner": "repobility-threat-engine", "fingerprint": "223e0563e6d061008301ec49e35b85c5004f0bbcae6f51a445c546d4d34d5083", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ivity: \"Checking the current time\",\n    iconName: \"code\",\n    toolCallId: `tc-${Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|223e0563e6d061008301ec49e35b85c5004f0bbcae6f51a445c546d4d34d5083"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/tool-progress-card/phase-grouped-step-list.stories.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 120592, "scanner": "repobility-threat-engine", "fingerprint": "78bc81f5ee644d83c595527fa5a556b6a2071ae2ab685ab35373918d7e6a595a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(2, 8)}`,\n    name: \"bash\",\n    input: { command: \"date\", activ", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|78bc81f5ee644d83c595527fa5a556b6a2071ae2ab685ab35373918d7e6a595a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/inline-activity-link/inline-tool-link.stories.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 120591, "scanner": "repobility-threat-engine", "fingerprint": "730ffdab913cf71f0356ab59f006e939ea4219093297af36a5ba89613a4dd74b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(2, 8)}`,\n    name: \"bash\",\n    input: { command: \"date\", activ", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|730ffdab913cf71f0356ab59f006e939ea4219093297af36a5ba89613a4dd74b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/activity-run-card/activity-run-card.stories.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 120586, "scanner": "repobility-threat-engine", "fingerprint": "509da2a90bc48187d841ee32efbb4cd36128d914c6bd169b4a1eb4db7d28780c", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = authorize_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|509da2a90bc48187d841ee32efbb4cd36128d914c6bd169b4a1eb4db7d28780c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/settings/ai/chatgpt-oauth-section.tsx"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 120585, "scanner": "repobility-threat-engine", "fingerprint": "cbf9e11019ec193255c47fe68e64006b9fd6f341a23dfd0ba422967c1dbe6a6a", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = adminUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cbf9e11019ec193255c47fe68e64006b9fd6f341a23dfd0ba422967c1dbe6a6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/preferences-menu.tsx"}, "region": {"startLine": 240}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 120584, "scanner": "repobility-threat-engine", "fingerprint": "ff184d7d0fe74727c9fbc19f5e4980899e91de9f42fd12c288eb8dbf7302c8b8", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = connectUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ff184d7d0fe74727c9fbc19f5e4980899e91de9f42fd12c288eb8dbf7302c8b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/api/managed-oauth.ts"}, "region": {"startLine": 377}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 120582, "scanner": "repobility-threat-engine", "fingerprint": "7ded710ede19e18c9af68d820f22403ddd3b653dd07757b2d7687e4134f1c04b", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(routes.conversation(conversation.conversationId)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|118|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/hooks/use-conversation-secondary-actions.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 120581, "scanner": "repobility-threat-engine", "fingerprint": "d61781229d0ad91605864d7669b1edd12ed566ff0a44bfb84848200a3c58bd68", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a\n      href={href}\n      target=\"_blank\"\n      rel={opensOAuthPopup ? undefined : \"noopener norefe", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|24|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/chat-markdown-message.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 120580, "scanner": "repobility-threat-engine", "fingerprint": "ee61ee3ef5ab204fa48d6f91dd7a781bca1692f1b94cdde5b8d8d4e443318842", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(\"\", \"_blank\", \"width=500,height=600\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|349|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/api/managed-oauth.ts"}, "region": {"startLine": 349}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 120564, "scanner": "repobility-threat-engine", "fingerprint": "0a44995588cf8e06f1ba6374760fa080749c749bdcafe425542bb03612ec5929", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|162|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/scripts/transform-daemon-spec.ts"}, "region": {"startLine": 162}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 120558, "scanner": "repobility-threat-engine", "fingerprint": "23bf339a3cb7fb8cdb48e0b3a3d1ad844be1d56f67d4abe874c2dbc1589d5259", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|29|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/avatar/animated-avatar.tsx"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 120557, "scanner": "repobility-threat-engine", "fingerprint": "e4c28d09a0951ecfaa1129f7a32f0f377f2d7f6cb2d6b317f3a6ade20b4689c4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|42|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/eslint-rules/cross-domain-matchers.mjs"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 120556, "scanner": "repobility-threat-engine", "fingerprint": "79bd3b11f799401068d43939cd79acf7cb40d1309f2c2cadb9aa3820509915a7", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|51|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/macos/src/main/status-icon.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 120672, "scanner": "repobility-docker", "fingerprint": "50035e6e70a65e395e5e718101c43e99d0847a9ee40a6f9eba811e1330ab1db4", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|50035e6e70a65e395e5e718101c43e99d0847a9ee40a6f9eba811e1330ab1db4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gateway/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 120669, "scanner": "repobility-docker", "fingerprint": "9927c8ec5f8237ddad1a942bb0217604cd45d03feac8c911d61f27e57987d748", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9927c8ec5f8237ddad1a942bb0217604cd45d03feac8c911d61f27e57987d748"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "credential-executor/Dockerfile"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 120667, "scanner": "repobility-docker", "fingerprint": "8a264ca586063e7102205e442552c70ee6e54810e47dc2d3be2057bdc97b3a93", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8a264ca586063e7102205e442552c70ee6e54810e47dc2d3be2057bdc97b3a93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "credential-executor/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 120666, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 120664, "scanner": "repobility-docker", "fingerprint": "b51202138991ce4459ac3a244f49995afae595160781ee9f55e219e3ef5a2d2d", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b51202138991ce4459ac3a244f49995afae595160781ee9f55e219e3ef5a2d2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/Dockerfile"}, "region": {"startLine": 73}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 120662, "scanner": "repobility-docker", "fingerprint": "10e9f745c34e35524cb06fa84a2336baef6b527e5883039fb189d1bce1de2005", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|10e9f745c34e35524cb06fa84a2336baef6b527e5883039fb189d1bce1de2005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120660, "scanner": "repobility-ai-code-hygiene", "fingerprint": "abd14076019bc8b5f5701314a68d0396487e9f9f0862342d2d40e14f97108f30", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/domains/chat/hooks/send-message-utils.ts", "duplicate_line": 28, "correlation_key": "fp|abd14076019bc8b5f5701314a68d0396487e9f9f0862342d2d40e14f97108f30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/hooks/use-interaction-actions.ts"}, "region": {"startLine": 243}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120659, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d01299cae14c522bc160d7a2611d0fad8caaa3c671dd7953f74857f2d6433f6c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/domains/chat/components/composer-settings-menu.tsx", "duplicate_line": 92, "correlation_key": "fp|d01299cae14c522bc160d7a2611d0fad8caaa3c671dd7953f74857f2d6433f6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/hooks/use-active-profile-model.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120658, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0107bddaddc3e9e3ab7d1b403f72fde83532d83a96f982c2acc67e97258deed5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/domains/chat/components/web-search/web-search-progress-card.tsx", "duplicate_line": 18, "correlation_key": "fp|0107bddaddc3e9e3ab7d1b403f72fde83532d83a96f982c2acc67e97258deed5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/hooks/tool-call-card-utils.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120657, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3b42fa672b814a4f09580c62c3f29d9da0b1898a5248a37b02df6cbba7b656aa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/domains/chat/components/confirmation-prompt-card.tsx", "duplicate_line": 33, "correlation_key": "fp|3b42fa672b814a4f09580c62c3f29d9da0b1898a5248a37b02df6cbba7b656aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/tool-call-chip/tool-call-chip.tsx"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120656, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7bc3f535d865a89d7363968e937efad183799f9a9bb28ad1254b834c226d0760", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/domains/chat/components/surfaces/choice-copy-surfaces.stories.tsx", "duplicate_line": 10, "correlation_key": "fp|7bc3f535d865a89d7363968e937efad183799f9a9bb28ad1254b834c226d0760"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/surfaces/work-result-surface.stories.tsx"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120655, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee6ff63d38edcf7ea3327cdf53e9dd492bd7fc57daa2c5787e403970725739c8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/domains/chat/components/onboarding-choice-card.tsx", "duplicate_line": 96, "correlation_key": "fp|ee6ff63d38edcf7ea3327cdf53e9dd492bd7fc57daa2c5787e403970725739c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/surfaces/task-preferences-surface.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120654, "scanner": "repobility-ai-code-hygiene", "fingerprint": "078bba2c2fddcf8ec644afd78cc54a5bea985edee57f8d62f1e3880bcc7a475d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/domains/chat/components/chat-content-layout.tsx", "duplicate_line": 56, "correlation_key": "fp|078bba2c2fddcf8ec644afd78cc54a5bea985edee57f8d62f1e3880bcc7a475d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/mobile-chat-overlays.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120653, "scanner": "repobility-ai-code-hygiene", "fingerprint": "213b2466b3a6870b9682aa5792ed577b3f24443aa0f770854a05b949b81031bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/domains/chat/components/activity-run-card/activity-run-card.stories.tsx", "duplicate_line": 5, "correlation_key": "fp|213b2466b3a6870b9682aa5792ed577b3f24443aa0f770854a05b949b81031bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/inline-activity-link/inline-tool-link.stories.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120652, "scanner": "repobility-ai-code-hygiene", "fingerprint": "400447f4625ace2d38920c4909a849b4ff9a1883b430716e3aa7582a75d51cc8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/domains/chat/components/chat-attachments/attachment-chip.tsx", "duplicate_line": 61, "correlation_key": "fp|400447f4625ace2d38920c4909a849b4ff9a1883b430716e3aa7582a75d51cc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/chat-attachments/message-attachment-square.tsx"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120651, "scanner": "repobility-ai-code-hygiene", "fingerprint": "243e72a7b0f5ce165df0cc918d1804a7a649009c374cb2ecfc2a5e3c1f702bee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/components/mobile-sidebar-drawer.tsx", "duplicate_line": 52, "correlation_key": "fp|243e72a7b0f5ce165df0cc918d1804a7a649009c374cb2ecfc2a5e3c1f702bee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/chat-layout.tsx"}, "region": {"startLine": 293}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120650, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be430c267afd60f9c85ae861c2d437d414a0248525d5bf08984ebcb6bce21706", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/domains/account/handle.ts", "duplicate_line": 79, "correlation_key": "fp|be430c267afd60f9c85ae861c2d437d414a0248525d5bf08984ebcb6bce21706"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/account/profile.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120649, "scanner": "repobility-ai-code-hygiene", "fingerprint": "304c366b0986969ed57fc7a3611376d126683ed2429ce0952d850fb13a0229f9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/domains/account/pages/oauth-complete-page.tsx", "duplicate_line": 7, "correlation_key": "fp|304c366b0986969ed57fc7a3611376d126683ed2429ce0952d850fb13a0229f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/account/pages/oauth-popup-complete-page.tsx"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120648, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e4c3710b06e6ae53f60a01b92a8ddcb35bde780e4a6ed3f1a24d2b065cbba1c7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/macos/scripts/run-tests.ts", "duplicate_line": 11, "correlation_key": "fp|e4c3710b06e6ae53f60a01b92a8ddcb35bde780e4a6ed3f1a24d2b065cbba1c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/scripts/run-tests.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 120647, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a56954f04c77aaa76528a03030190c673c443011b7ae1a2cd3cf6541bff5df6d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/macos/src/main/commands.ts", "duplicate_line": 3, "correlation_key": "fp|a56954f04c77aaa76528a03030190c673c443011b7ae1a2cd3cf6541bff5df6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/macos/src/preload/index.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120646, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2ee8795edca64211e334331a35db9955531c25b5e2177ae23703ae5c2f3a5d50", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|2ee8795edca64211e334331a35db9955531c25b5e2177ae23703ae5c2f3a5d50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/tools/tasks/work-item-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120645, "scanner": "repobility-ai-code-hygiene", "fingerprint": "47acb9c3448a32bdcac03fa0cd981d6b80ab8fa80c5225bf475145f3ad65a23b", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "copy", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|47acb9c3448a32bdcac03fa0cd981d6b80ab8fa80c5225bf475145f3ad65a23b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/proactive-artifact/message-copy.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120644, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f6781465167a11f2d8045cde6980233663bb2a05f6b74c1a4c4a06fdaea48184", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "temp", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|f6781465167a11f2d8045cde6980233663bb2a05f6b74c1a4c4a06fdaea48184"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/plugins/defaults/memory-retrieval/hooks/user-prompt-submit-temp.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120643, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d8afcda97b97368809865c33ff0aa3d39db896f4afd9122d1850fe473a9f16e2", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|d8afcda97b97368809865c33ff0aa3d39db896f4afd9122d1850fe473a9f16e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/config/bundled-skills/settings/tools/voice-config-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120642, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dd31ad3e3962811f420ded8b03aad88a2330bbb423a9b1d57983953905b3ba5d", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|dd31ad3e3962811f420ded8b03aad88a2330bbb423a9b1d57983953905b3ba5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/config/bundled-skills/sequences/tools/sequence-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120641, "scanner": "repobility-ai-code-hygiene", "fingerprint": "28327260ad79e481995e69a5f0912d8906dd170ace1d0e5e7bd6286b1611a4d8", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|28327260ad79e481995e69a5f0912d8906dd170ace1d0e5e7bd6286b1611a4d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/config/bundled-skills/playbooks/tools/playbook-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120640, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6183616c4b9ebe33263743e67cbe70cecc248a96c31267e93bca387fbf38bdc6", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|6183616c4b9ebe33263743e67cbe70cecc248a96c31267e93bca387fbf38bdc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/config/bundled-skills/messaging/tools/messaging-draft.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120639, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f0fd66729d39f17d36099b82d8331dca7c645eaa4cca57889a2d7bd00080a00a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "copy", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|f0fd66729d39f17d36099b82d8331dca7c645eaa4cca57889a2d7bd00080a00a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/calls/guardian-question-copy.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120638, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25f4aa99376917fcc4d7645ca469990872de17f211e5b31a1d0f925b0dfb791c", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|25f4aa99376917fcc4d7645ca469990872de17f211e5b31a1d0f925b0dfb791c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/api/events/usage-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120637, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e4282048e4fdc9bdc4219052a3f430e108011de696ac04470ddc796dcaf686a6", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|e4282048e4fdc9bdc4219052a3f430e108011de696ac04470ddc796dcaf686a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/api/events/ui-surface-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120636, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8019b610e7fe59e1cf1411df6ddc2f551dd8fa46a1358a4ecbe91aec75a67e12", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "updated", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|8019b610e7fe59e1cf1411df6ddc2f551dd8fa46a1358a4ecbe91aec75a67e12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/api/events/relationship-state-updated.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120635, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a07e906a5088bd60f1d13d68cba9d57122ebfca6e6a0a9eb5edf69083e7c1cf", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "updated", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|2a07e906a5088bd60f1d13d68cba9d57122ebfca6e6a0a9eb5edf69083e7c1cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/api/events/home-feed-updated.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120634, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b89fdd756ea1f258d9b987d0117466b875b0e95fe71c6378a0b7078540cb2bd5", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|b89fdd756ea1f258d9b987d0117466b875b0e95fe71c6378a0b7078540cb2bd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/api/events/document-editor-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120633, "scanner": "repobility-ai-code-hygiene", "fingerprint": "095affbe3a229fb2aa65a238cb362ddabb6146adb0ec89274e5055dc7c2c998a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "updated", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|095affbe3a229fb2aa65a238cb362ddabb6146adb0ec89274e5055dc7c2c998a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/api/events/conversation-title-updated.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 120632, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c2f0947d991f00714e3f0f7836b1b07af9746b1d54fad9f05281d04e25cd01ed", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "updated", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|c2f0947d991f00714e3f0f7836b1b07af9746b1d54fad9f05281d04e25cd01ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/api/events/avatar-updated.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC002", "level": "note", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 120628, "scanner": "repobility-threat-engine", "fingerprint": "6c095fe89db345fabb6617a3f4409b1a7f86a90cce236ec799bac67fd76cde85", "category": "credential_exposure", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Could not extract value for entropy analysis Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "AKIAIOSFODNN7EXAMPLE", "reason": "Could not extract value for entropy analysis", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "secret|token|11|akiaiosfodnn7example", "duplicate_count": 2, "duplicate_rule_ids": ["SEC002", "SEC010", "SEC048"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["47bc328d396b2d0a1869756c0173ade12dd2d95d32de8724cfb6cf8b36e88d70", "6c095fe89db345fabb6617a3f4409b1a7f86a90cce236ec799bac67fd76cde85", "8188ba79005c3e14f9c3afa8d0c7d61e26370a69662dd64b14a887aad5c1e7e1"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/security/secret-scanner.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 120619, "scanner": "repobility-threat-engine", "fingerprint": "1f7886eb39ace4b192d73a1765741db0dbfbc50298a40ae777eae9d9583ec2e9", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'s not yet connected and would be genuinely useful.\" +\n      integrationContext +\n      ' Return ONL", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1f7886eb39ace4b192d73a1765741db0dbfbc50298a40ae777eae9d9583ec2e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/home/suggested-prompts.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED099", "level": "none", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 120629, "scanner": "repobility-threat-engine", "fingerprint": "263c689377131185adbacec8ee625e8aa70a2af9b8b602ce066397f1d2bebae5", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'example' detected on same line", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|263c689377131185adbacec8ee625e8aa70a2af9b8b602ce066397f1d2bebae5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/security/secret-scanner.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 120627, "scanner": "repobility-threat-engine", "fingerprint": "59b0568349c3fdf358d2ab4dc6a95734002d2477d48bcb534b2cc106d9182f4d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59b0568349c3fdf358d2ab4dc6a95734002d2477d48bcb534b2cc106d9182f4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/security/secret-scanner.ts"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 120626, "scanner": "repobility-threat-engine", "fingerprint": "081aba53beb1368b43d829a65c67855cf6257b161cb48ed298822da459825ce9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|081aba53beb1368b43d829a65c67855cf6257b161cb48ed298822da459825ce9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/security/secret-ingress.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 120618, "scanner": "repobility-threat-engine", "fingerprint": "bc622422aece995c7e07e0c16de081f3178587059cc7d4258a61a173910ef549", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bc622422aece995c7e07e0c16de081f3178587059cc7d4258a61a173910ef549"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 120614, "scanner": "repobility-threat-engine", "fingerprint": "867435873248f2fac4008f9e516aaca30f5966d7862f2b15e0d96aa29ada6903", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|867435873248f2fac4008f9e516aaca30f5966d7862f2b15e0d96aa29ada6903"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/memory/rerank-local.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 120613, "scanner": "repobility-threat-engine", "fingerprint": "aceea430650f47120f2ffcbf627d1965ffd7a09ec2f9d0cbc344e5cf19c6dd95", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aceea430650f47120f2ffcbf627d1965ffd7a09ec2f9d0cbc344e5cf19c6dd95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/config/schema-utils.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 120608, "scanner": "repobility-threat-engine", "fingerprint": "1ea8a5616750e2c737ebced631da516aaa82244142b85b61131df1927a5ab1a9", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(\"[native-biometric] failed to store token:\", err)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|6|console.error native-biometric failed to store token: err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/runtime/native-biometric.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 120607, "scanner": "repobility-threat-engine", "fingerprint": "62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "aggregated_count": 2}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 120606, "scanner": "repobility-threat-engine", "fingerprint": "f6cc7febdf968c86bbdd8a40701af2ef46ded8a19de8f3ebf4e998b9b2e1c55b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f6cc7febdf968c86bbdd8a40701af2ef46ded8a19de8f3ebf4e998b9b2e1c55b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/config/schemas/ingress.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 120605, "scanner": "repobility-threat-engine", "fingerprint": "3957816ff43877d11f6aeb3209152130902f99d6a3b9d92957280ffed40651ca", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3957816ff43877d11f6aeb3209152130902f99d6a3b9d92957280ffed40651ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/docker-init-apt-root.sh"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 120604, "scanner": "repobility-threat-engine", "fingerprint": "0dc2e9603f35275eb965a63beed2e8177756bf84aa0db65f8387eace4402fefe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0dc2e9603f35275eb965a63beed2e8177756bf84aa0db65f8387eace4402fefe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/voice/live-voice/connection.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "properties": {"repobilityId": 120603, "scanner": "repobility-threat-engine", "fingerprint": "ee37b72ebde15cfbc31f78c9719de0889ff3a3c23590f5c2a982061826fb7c2f", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ee37b72ebde15cfbc31f78c9719de0889ff3a3c23590f5c2a982061826fb7c2f"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 120599, "scanner": "repobility-threat-engine", "fingerprint": "bcc4f4ba9d6f1cc01238739180acf67e6d4fb5ebbdd6b73d3d1174f7cc93f498", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bcc4f4ba9d6f1cc01238739180acf67e6d4fb5ebbdd6b73d3d1174f7cc93f498"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 120590, "scanner": "repobility-threat-engine", "fingerprint": "50bd3e52d4aaac20fdc64b65419a1ff59e9e07e866c6b4a087636415374e3aa0", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|50bd3e52d4aaac20fdc64b65419a1ff59e9e07e866c6b4a087636415374e3aa0"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 120589, "scanner": "repobility-threat-engine", "fingerprint": "936291343f720c5266aaa436b5940ae89469a19df23c915010575bea17d0217d", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|19|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/utils/conversation-selection.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 120588, "scanner": "repobility-threat-engine", "fingerprint": "523c5db90492d2d7bf1d95a6cd420e4fe2321534b1cd07397851090e3e8dbfb2", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|115|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/document-viewer-page.tsx"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 120587, "scanner": "repobility-threat-engine", "fingerprint": "4aad7fd76d6ba2976e66f78acdf01b367ca1740a22956e899cf41138e89d0207", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|211|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/api/managed-oauth.ts"}, "region": {"startLine": 211}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 120583, "scanner": "repobility-threat-engine", "fingerprint": "3cce005a1fd9b4a54d37ac5ac76fa8151cf96bcfc36f79c6a32e365bbf15aaba", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3cce005a1fd9b4a54d37ac5ac76fa8151cf96bcfc36f79c6a32e365bbf15aaba"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 120579, "scanner": "repobility-threat-engine", "fingerprint": "377e9ed5b80ffb9d61ead7cdc96c8d32214c1075bbdc490f011ecc80671f46d1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|377e9ed5b80ffb9d61ead7cdc96c8d32214c1075bbdc490f011ecc80671f46d1", "aggregated_count": 10}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 120578, "scanner": "repobility-threat-engine", "fingerprint": "bb7ac53612e12447cd8c4f18503b3d6aa5e6a3ea0240edab573a526691e47e4c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bb7ac53612e12447cd8c4f18503b3d6aa5e6a3ea0240edab573a526691e47e4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/surfaces/call-summary-surface.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 120577, "scanner": "repobility-threat-engine", "fingerprint": "015b8e5e430ffae84ef22b3439f72934620ba8d02087a75e593e1d1bf2392721", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|015b8e5e430ffae84ef22b3439f72934620ba8d02087a75e593e1d1bf2392721"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/components/scroll-to-latest-button.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 120576, "scanner": "repobility-threat-engine", "fingerprint": "7dcfc7f6cdb0e04aaf0a795c35deef51cdf967280db4dda76c34e5f4a709fdaa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7dcfc7f6cdb0e04aaf0a795c35deef51cdf967280db4dda76c34e5f4a709fdaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/avatar/animated-avatar.tsx"}, "region": {"startLine": 317}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 120575, "scanner": "repobility-threat-engine", "fingerprint": "1a95a5d1d682a12bb642e28c36c0e874bff6cdc26089c46ae8ef263ee1155792", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1a95a5d1d682a12bb642e28c36c0e874bff6cdc26089c46ae8ef263ee1155792", "aggregated_count": 1}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 120574, "scanner": "repobility-threat-engine", "fingerprint": "ebf28e2c1bd7a6a3a789f36a56b9bb7bef96ccdcd7c68ddadf160f89b9ad9058", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ebf28e2c1bd7a6a3a789f36a56b9bb7bef96ccdcd7c68ddadf160f89b9ad9058"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/account/pages/oauth-popup-complete-page.tsx"}, "region": {"startLine": 261}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 120573, "scanner": "repobility-threat-engine", "fingerprint": "2297ed5a5e0eeee5b5d0b74b3f970637e2c879126d59564f29c40bfc5afa1c31", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2297ed5a5e0eeee5b5d0b74b3f970637e2c879126d59564f29c40bfc5afa1c31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/account/pages/oauth-complete-page.tsx"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 120572, "scanner": "repobility-threat-engine", "fingerprint": "48d4f81b235cfd2b1d09ced96c003d3ecb124a5c029c23ddbe88742fd736217c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|48d4f81b235cfd2b1d09ced96c003d3ecb124a5c029c23ddbe88742fd736217c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/avatar-renderer.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 78 more): Same pattern found in 78 additional files. Review if needed."}, "properties": {"repobilityId": 120571, "scanner": "repobility-threat-engine", "fingerprint": "ebdb8455eeb930d12e054aca7176be0f6f58c187c8ab78ec6ecf978f0cf284d4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 78 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ebdb8455eeb930d12e054aca7176be0f6f58c187c8ab78ec6ecf978f0cf284d4", "aggregated_count": 78}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 120570, "scanner": "repobility-threat-engine", "fingerprint": "5ee7a6987d12c1ae2327e31bd2ab10b9d01204efe6b1e78de06c2d74a0b1a5c8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5ee7a6987d12c1ae2327e31bd2ab10b9d01204efe6b1e78de06c2d74a0b1a5c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/api/surfaces.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 120569, "scanner": "repobility-threat-engine", "fingerprint": "6ef6e1beaf5cc08d16cc9a15e667691c6b2c28b6c74b97532a86f3d07baa4590", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ef6e1beaf5cc08d16cc9a15e667691c6b2c28b6c74b97532a86f3d07baa4590"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/avatar/avatar-customization-panel.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 120568, "scanner": "repobility-threat-engine", "fingerprint": "eaa1fe43c1bfee50d5883b9efa956f9582938332a6b8bdda7dff0dfd09663e50", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eaa1fe43c1bfee50d5883b9efa956f9582938332a6b8bdda7dff0dfd09663e50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/assistant/avatar-api.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED018", "level": "none", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 120567, "scanner": "repobility-threat-engine", "fingerprint": "d3e94a80f250c6983d38230cde21395c4729f27a8c8a0de0afbd615b41c32fd2", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'spec\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d3e94a80f250c6983d38230cde21395c4729f27a8c8a0de0afbd615b41c32fd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/scripts/transform-daemon-spec.ts"}, "region": {"startLine": 162}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "properties": {"repobilityId": 120563, "scanner": "repobility-threat-engine", "fingerprint": "99641ac9328a30a8806e5d6f5d1ddb775940cdf7306811ce227b7b4ebed57f7c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|99641ac9328a30a8806e5d6f5d1ddb775940cdf7306811ce227b7b4ebed57f7c"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 120559, "scanner": "repobility-threat-engine", "fingerprint": "ba89edbfbc62838876a8f449dddf3598b0d3fd16d59fb2a0927371c3c661bcd9", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ba89edbfbc62838876a8f449dddf3598b0d3fd16d59fb2a0927371c3c661bcd9"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 114 more): Same pattern found in 114 additional files. Review if needed."}, "properties": {"repobilityId": 120555, "scanner": "repobility-threat-engine", "fingerprint": "5c80c17afb1f8e3bb1f2dcb075767d800072769fafdf77d144c077c49797da4e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 114 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 114 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5c80c17afb1f8e3bb1f2dcb075767d800072769fafdf77d144c077c49797da4e"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 85 more): Same pattern found in 85 additional files. Review if needed."}, "properties": {"repobilityId": 120551, "scanner": "repobility-threat-engine", "fingerprint": "5be280f25cba7b35fdbe807f00013416a51c3dbe9d84bf21ea653aaeefc09bf3", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 85 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 85 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5be280f25cba7b35fdbe807f00013416a51c3dbe9d84bf21ea653aaeefc09bf3"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "properties": {"repobilityId": 120547, "scanner": "repobility-threat-engine", "fingerprint": "daa0de24a85003a80ca19bc0d7d7f74db62e08c69beb03de8fea6281b99e0948", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|daa0de24a85003a80ca19bc0d7d7f74db62e08c69beb03de8fea6281b99e0948", "aggregated_count": 25}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 120546, "scanner": "repobility-threat-engine", "fingerprint": "120ca95bc58bde31a93d6e51076b195d403645cd28ef74bd26bbce5262362c8e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|120ca95bc58bde31a93d6e51076b195d403645cd28ef74bd26bbce5262362c8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/macos/scripts/install-file-deps.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 120545, "scanner": "repobility-threat-engine", "fingerprint": "7ed1611d2ad321b798f0733e7a6a970b45f4c23477927a038a6836d522223378", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7ed1611d2ad321b798f0733e7a6a970b45f4c23477927a038a6836d522223378"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/macos/scripts/dev.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 120544, "scanner": "repobility-threat-engine", "fingerprint": "b5d2c235ba96ae9079df5ef0aabef052ce1f56bc243af84ed0fd2be53f7b158a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b5d2c235ba96ae9079df5ef0aabef052ce1f56bc243af84ed0fd2be53f7b158a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/macos/scripts/afterPack.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mitmproxy/mitmproxy:11.0.2` not pinned by digest: `FROM mitmproxy/mitmproxy:11.0.2` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 120734, "scanner": "repobility-supply-chain", "fingerprint": "b765fb385231412b46b21165db873d19a5ca153d0378b058c36c4fea0bda9fcd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b765fb385231412b46b21165db873d19a5ca153d0378b058c36c4fea0bda9fcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/recording/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-alpine` not pinned by digest: `FROM python:3.12-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 120733, "scanner": "repobility-supply-chain", "fingerprint": "d289f4320e75db2e86bb34add8c5ba3471162653a615a144f1f4b5b04e414ec8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d289f4320e75db2e86bb34add8c5ba3471162653a615a144f1f4b5b04e414ec8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/local-mode` pulled from URL/Git: `dependencies.@vellumai/local-mode` = `file:../../packages/local-mode` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120732, "scanner": "repobility-supply-chain", "fingerprint": "e4e684aac3e0baee17565ec4e1a40f500b566b23fbc7fddee125725e2d921599", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4e684aac3e0baee17565ec4e1a40f500b566b23fbc7fddee125725e2d921599"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/design-library` pulled from URL/Git: `dependencies.@vellumai/design-library` = `file:../../packages/design-library` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120731, "scanner": "repobility-supply-chain", "fingerprint": "f32558b933c12a7b97b1891ecb0526196704a451dc7cd772af4a8529cfcc1221", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f32558b933c12a7b97b1891ecb0526196704a451dc7cd772af4a8529cfcc1221"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/local-mode` pulled from URL/Git: `dependencies.@vellumai/local-mode` = `file:../../packages/local-mode` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120730, "scanner": "repobility-supply-chain", "fingerprint": "044e116cc7d4394d977c5a3b1919301de1f104aacf3b6af96fa8bad08edbc628", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|044e116cc7d4394d977c5a3b1919301de1f104aacf3b6af96fa8bad08edbc628"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/macos/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/environments` pulled from URL/Git: `dependencies.@vellumai/environments` = `file:../../packages/environments` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120729, "scanner": "repobility-supply-chain", "fingerprint": "19dd19be6040880d4c2dd1edce5df9e64bb118ec281e0f3a2a4a0b270840559c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|19dd19be6040880d4c2dd1edce5df9e64bb118ec281e0f3a2a4a0b270840559c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/macos/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/egress-proxy` pulled from URL/Git: `dependencies.@vellumai/egress-proxy` = `file:../packages/egress-proxy` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120728, "scanner": "repobility-supply-chain", "fingerprint": "856f55e06de673ef2eb16d06b03fcfeed6835fba827aac85b2bf4e50125b1dfd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|856f55e06de673ef2eb16d06b03fcfeed6835fba827aac85b2bf4e50125b1dfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "credential-executor/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/credential-storage` pulled from URL/Git: `dependencies.@vellumai/credential-storage` = `file:../packages/credential-storage` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120727, "scanner": "repobility-supply-chain", "fingerprint": "908402c946fd495b12fbc02727e82b339892a2b928d82a239b30347b12b3a075", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|908402c946fd495b12fbc02727e82b339892a2b928d82a239b30347b12b3a075"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "credential-executor/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/service-contracts` pulled from URL/Git: `dependencies.@vellumai/service-contracts` = `file:../packages/service-contracts` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120726, "scanner": "repobility-supply-chain", "fingerprint": "a9b5cfb1a66248917f6e0d1b29e2412e664f6aa399e69596eb12204dabec6b1e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a9b5cfb1a66248917f6e0d1b29e2412e664f6aa399e69596eb12204dabec6b1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "credential-executor/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/local-mode` pulled from URL/Git: `dependencies.@vellumai/local-mode` = `file:../packages/local-mode` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120725, "scanner": "repobility-supply-chain", "fingerprint": "20ebdc2171af710ed77399b8fc9ef1aacb6d3bdad6aa4d8f42fdd24dfad082b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20ebdc2171af710ed77399b8fc9ef1aacb6d3bdad6aa4d8f42fdd24dfad082b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/environments` pulled from URL/Git: `dependencies.@vellumai/environments` = `file:../packages/environments` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120724, "scanner": "repobility-supply-chain", "fingerprint": "4fa4874c2da8a0ba2d402c290606af715a18354050b7b1c61d8ba5de1c1b0879", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4fa4874c2da8a0ba2d402c290606af715a18354050b7b1c61d8ba5de1c1b0879"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/twilio-client` pulled from URL/Git: `dependencies.@vellumai/twilio-client` = `file:../packages/twilio-client` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120723, "scanner": "repobility-supply-chain", "fingerprint": "418db86981460965d55c7f10429b4cfc41711f5b1c7fa14c086e7baadecfcaa6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|418db86981460965d55c7f10429b4cfc41711f5b1c7fa14c086e7baadecfcaa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/slack-text` pulled from URL/Git: `dependencies.@vellumai/slack-text` = `file:../packages/slack-text` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120722, "scanner": "repobility-supply-chain", "fingerprint": "cf7b433b190ab87271ed2a368fcf5764015de93192788ad2566bda25f54b32f7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cf7b433b190ab87271ed2a368fcf5764015de93192788ad2566bda25f54b32f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/skill-host-contracts` pulled from URL/Git: `dependencies.@vellumai/skill-host-contracts` = `file:../packages/skill-host-contracts` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120721, "scanner": "repobility-supply-chain", "fingerprint": "45b36cc9b8486fdc783539bfe46a7c39b93f29da61bc923f4356697a0b79fd1e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45b36cc9b8486fdc783539bfe46a7c39b93f29da61bc923f4356697a0b79fd1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/service-contracts` pulled from URL/Git: `dependencies.@vellumai/service-contracts` = `file:../packages/service-contracts` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120720, "scanner": "repobility-supply-chain", "fingerprint": "9b5b4f15df3a26df412bc96615e300f952e41c4c3285a186ad5d5fd9f765bd83", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b5b4f15df3a26df412bc96615e300f952e41c4c3285a186ad5d5fd9f765bd83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/ipc-server-utils` pulled from URL/Git: `dependencies.@vellumai/ipc-server-utils` = `file:../packages/ipc-server-utils` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120719, "scanner": "repobility-supply-chain", "fingerprint": "e6418eac5690ea0e07293cb8b681fb96308b341664fca34a4c565af9215e4c81", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6418eac5690ea0e07293cb8b681fb96308b341664fca34a4c565af9215e4c81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/gateway-client` pulled from URL/Git: `dependencies.@vellumai/gateway-client` = `file:../packages/gateway-client` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120718, "scanner": "repobility-supply-chain", "fingerprint": "8f11c23457b6d2c59e3a4ccccbe19e1456d30e6e7df35414318ec67391c2820e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f11c23457b6d2c59e3a4ccccbe19e1456d30e6e7df35414318ec67391c2820e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/environments` pulled from URL/Git: `dependencies.@vellumai/environments` = `file:../packages/environments` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120717, "scanner": "repobility-supply-chain", "fingerprint": "cfde53e1845d8b28655a357c4b75f9af8b9e03c59b3d1280d9cdda11e9043179", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cfde53e1845d8b28655a357c4b75f9af8b9e03c59b3d1280d9cdda11e9043179"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/egress-proxy` pulled from URL/Git: `dependencies.@vellumai/egress-proxy` = `file:../packages/egress-proxy` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120716, "scanner": "repobility-supply-chain", "fingerprint": "e5c66374667ec796e3115f02e36adad0e419fb01a586be37b9bfbdf426e4bd9f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5c66374667ec796e3115f02e36adad0e419fb01a586be37b9bfbdf426e4bd9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/credential-storage` pulled from URL/Git: `dependencies.@vellumai/credential-storage` = `file:../packages/credential-storage` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120715, "scanner": "repobility-supply-chain", "fingerprint": "e4c975f69e4fc496593df81e6135704dd7b8813f1a226f828997b457cccc6772", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4c975f69e4fc496593df81e6135704dd7b8813f1a226f828997b457cccc6772"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/ces-client` pulled from URL/Git: `dependencies.@vellumai/ces-client` = `file:../packages/ces-client` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120714, "scanner": "repobility-supply-chain", "fingerprint": "af201b3356e0115175ccf7d4d79466aa39d82041d66fbe6a243be53212b6c39c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af201b3356e0115175ccf7d4d79466aa39d82041d66fbe6a243be53212b6c39c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/twilio-client` pulled from URL/Git: `dependencies.@vellumai/twilio-client` = `file:../packages/twilio-client` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120713, "scanner": "repobility-supply-chain", "fingerprint": "f5565e032fdfd35e9d5a4cef799a3fb276b4c07b2b01d39ce21f83cb3d248218", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f5565e032fdfd35e9d5a4cef799a3fb276b4c07b2b01d39ce21f83cb3d248218"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gateway/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/slack-text` pulled from URL/Git: `dependencies.@vellumai/slack-text` = `file:../packages/slack-text` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120712, "scanner": "repobility-supply-chain", "fingerprint": "4e6729c5e957858504d03c8ed65a19bf1cd51859f5fac3ae3bae67d4f18d7de7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e6729c5e957858504d03c8ed65a19bf1cd51859f5fac3ae3bae67d4f18d7de7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gateway/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/service-contracts` pulled from URL/Git: `dependencies.@vellumai/service-contracts` = `file:../packages/service-contracts` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120711, "scanner": "repobility-supply-chain", "fingerprint": "fd99f5c948628eb3979e340418ca48a68fd85f6a8f176b76502babf8dad0a40f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd99f5c948628eb3979e340418ca48a68fd85f6a8f176b76502babf8dad0a40f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gateway/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/ipc-server-utils` pulled from URL/Git: `dependencies.@vellumai/ipc-server-utils` = `file:../packages/ipc-server-utils` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120710, "scanner": "repobility-supply-chain", "fingerprint": "65a341ae880269810d601ab6eb843e1b18e176aa02afa2ed6187762d5006c6c4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65a341ae880269810d601ab6eb843e1b18e176aa02afa2ed6187762d5006c6c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gateway/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/ces-client` pulled from URL/Git: `dependencies.@vellumai/ces-client` = `file:../packages/ces-client` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120709, "scanner": "repobility-supply-chain", "fingerprint": "0e43786e6fd042a7173fe3ec7a06f607f0bf8c062632b66685448515c5763743", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0e43786e6fd042a7173fe3ec7a06f607f0bf8c062632b66685448515c5763743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gateway/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@vellumai/assistant-client` pulled from URL/Git: `dependencies.@vellumai/assistant-client` = `file:../packages/assistant-client` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 120708, "scanner": "repobility-supply-chain", "fingerprint": "12f9003969c0796804f044044b569425dac6963615d54b1a50f8a182f0a310f0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12f9003969c0796804f044044b569425dac6963615d54b1a50f8a182f0a310f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gateway/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIsNone` used but never assigned in __init__: Method `test_unrelated_line_returns_none` of class `ParseEventLineTests` reads `self.assertIsNone`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120706, "scanner": "repobility-ast-engine", "fingerprint": "aedf788dad33177c1da2fdc4b5970dd92d97b4e4c4dbd234bfa174e741ba4922", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aedf788dad33177c1da2fdc4b5970dd92d97b4e4c4dbd234bfa174e741ba4922"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIsNone` used but never assigned in __init__: Method `test_unrelated_line_returns_none` of class `ParseEventLineTests` reads `self.assertIsNone`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120705, "scanner": "repobility-ast-engine", "fingerprint": "86ee14d2644adf2ad76b1917f59a95777d7387e97b607f2da9edb10fc5f01524", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|86ee14d2644adf2ad76b1917f59a95777d7387e97b607f2da9edb10fc5f01524"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIsNone` used but never assigned in __init__: Method `test_unrelated_line_returns_none` of class `ParseEventLineTests` reads `self.assertIsNone`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120704, "scanner": "repobility-ast-engine", "fingerprint": "ce3b30edbe47707aa256fba1479ef88e28a24f9da9e4c9d827fa8ccf3e867114", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce3b30edbe47707aa256fba1479ef88e28a24f9da9e4c9d827fa8ccf3e867114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_destroy_without_state_field` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120703, "scanner": "repobility-ast-engine", "fingerprint": "ea744cdae60327ec8b2e6c5cc7d39685d715cdb1623bbad7fc797512d064ae0d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ea744cdae60327ec8b2e6c5cc7d39685d715cdb1623bbad7fc797512d064ae0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_destroy_without_state_field` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120702, "scanner": "repobility-ast-engine", "fingerprint": "845a73ea7391ac6ea0e6a6ce0514f6f01a68fa3313fe93475d40c35f52f08100", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|845a73ea7391ac6ea0e6a6ce0514f6f01a68fa3313fe93475d40c35f52f08100"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIsNotNone` used but never assigned in __init__: Method `test_destroy_without_state_field` of class `ParseEventLineTests` reads `self.assertIsNotNone`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120701, "scanner": "repobility-ast-engine", "fingerprint": "6c7df6eff278c23b58ade32e844e54e2edb28312d677a337787b01035b1cf636", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6c7df6eff278c23b58ade32e844e54e2edb28312d677a337787b01035b1cf636"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_destroy_event_carries_both_direction_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120700, "scanner": "repobility-ast-engine", "fingerprint": "84b1ed47931f39457ae3ee8c5554428fb4e04de3a497f0793316591e9a912e5e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|84b1ed47931f39457ae3ee8c5554428fb4e04de3a497f0793316591e9a912e5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_destroy_event_carries_both_direction_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120699, "scanner": "repobility-ast-engine", "fingerprint": "b5e11bc9e9f0241508c8839d553c9adae3e546eb181435ca8a364e57fc902412", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b5e11bc9e9f0241508c8839d553c9adae3e546eb181435ca8a364e57fc902412"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_destroy_event_carries_both_direction_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120698, "scanner": "repobility-ast-engine", "fingerprint": "294bbb8dfc852ab59487020fc93543bc821e6ca2708f3befd1ff8bd41bcb288a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|294bbb8dfc852ab59487020fc93543bc821e6ca2708f3befd1ff8bd41bcb288a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_destroy_event_carries_both_direction_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120697, "scanner": "repobility-ast-engine", "fingerprint": "dd3d5606d69c9cfd1d14ca4436b7694a81b4d50d1c4bb557a0ffe332e54651f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dd3d5606d69c9cfd1d14ca4436b7694a81b4d50d1c4bb557a0ffe332e54651f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_destroy_event_carries_both_direction_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120696, "scanner": "repobility-ast-engine", "fingerprint": "1ba94dc0e29c5e32d3cfcc4d83a37b2deefa542542cb0aa43ebd3257f73965cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1ba94dc0e29c5e32d3cfcc4d83a37b2deefa542542cb0aa43ebd3257f73965cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_destroy_event_carries_both_direction_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120695, "scanner": "repobility-ast-engine", "fingerprint": "2eaaeaed36ab632329089abe066f26e1f1b618dd60e51dbd2e21d20ae92ab825", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2eaaeaed36ab632329089abe066f26e1f1b618dd60e51dbd2e21d20ae92ab825"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_destroy_event_carries_both_direction_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120694, "scanner": "repobility-ast-engine", "fingerprint": "e7eb5381c30364da918d393603d940b430714d6d43adb9acefb9c9db6f499bf6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e7eb5381c30364da918d393603d940b430714d6d43adb9acefb9c9db6f499bf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIsNotNone` used but never assigned in __init__: Method `test_destroy_event_carries_both_direction_counters` of class `ParseEventLineTests` reads `self.assertIsNotNone`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120693, "scanner": "repobility-ast-engine", "fingerprint": "5e17bdca4bf0b4e1cab385b9312381e3fe6c1da657cf7d574a4e6f159efb2047", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5e17bdca4bf0b4e1cab385b9312381e3fe6c1da657cf7d574a4e6f159efb2047"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_new_event_extracts_original_tuple_and_zero_reply_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120692, "scanner": "repobility-ast-engine", "fingerprint": "dd60fb016820b4588d46d77740d6ddf2e0f340b0539adcd6e27b0e83ae31ade6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dd60fb016820b4588d46d77740d6ddf2e0f340b0539adcd6e27b0e83ae31ade6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_new_event_extracts_original_tuple_and_zero_reply_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120691, "scanner": "repobility-ast-engine", "fingerprint": "0bb93228ca3bee9f362fb4607882aee4d28bb2fd4b0eb061c763de4e38fb091b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0bb93228ca3bee9f362fb4607882aee4d28bb2fd4b0eb061c763de4e38fb091b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_new_event_extracts_original_tuple_and_zero_reply_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120690, "scanner": "repobility-ast-engine", "fingerprint": "d193cf73485a0e1a16a7e83dc81e1465743834fe7b09721d1f562e3a3c1bfd85", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d193cf73485a0e1a16a7e83dc81e1465743834fe7b09721d1f562e3a3c1bfd85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_new_event_extracts_original_tuple_and_zero_reply_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120689, "scanner": "repobility-ast-engine", "fingerprint": "6e6d8b1d274516ab6a67dce8803f0d3b84f2ed63221a55e757115e0336b625f2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6e6d8b1d274516ab6a67dce8803f0d3b84f2ed63221a55e757115e0336b625f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_new_event_extracts_original_tuple_and_zero_reply_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120688, "scanner": "repobility-ast-engine", "fingerprint": "bc1a6801fe142a02adfdb8ad9bcbea9ad099783ca01b4341d779c44fcd9a8f7c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bc1a6801fe142a02adfdb8ad9bcbea9ad099783ca01b4341d779c44fcd9a8f7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_new_event_extracts_original_tuple_and_zero_reply_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120687, "scanner": "repobility-ast-engine", "fingerprint": "471fd337ba29c8822ac161083ce9f5b7084b2d3895684a29e273781edc46c896", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|471fd337ba29c8822ac161083ce9f5b7084b2d3895684a29e273781edc46c896"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_new_event_extracts_original_tuple_and_zero_reply_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120686, "scanner": "repobility-ast-engine", "fingerprint": "9ab22b8b54d72a803b6a1cdd6e1729322bef794c67cb51f8d47760a91abe241b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ab22b8b54d72a803b6a1cdd6e1729322bef794c67cb51f8d47760a91abe241b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_new_event_extracts_original_tuple_and_zero_reply_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120685, "scanner": "repobility-ast-engine", "fingerprint": "28905639724c8de3b3b3b5ac15f3f4f0646ba377e0eed50d7c99325c4abf94cc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|28905639724c8de3b3b3b5ac15f3f4f0646ba377e0eed50d7c99325c4abf94cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_new_event_extracts_original_tuple_and_zero_reply_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120684, "scanner": "repobility-ast-engine", "fingerprint": "31a77d7320f64bfab83c729f984f7cff039c6e072f99623256fd46a0a7c4a2bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|31a77d7320f64bfab83c729f984f7cff039c6e072f99623256fd46a0a7c4a2bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_new_event_extracts_original_tuple_and_zero_reply_counters` of class `ParseEventLineTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120683, "scanner": "repobility-ast-engine", "fingerprint": "8edfc81fe1175bf1d5f63e21d696d72fe30b5aad78f63134196ee8f126721135", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8edfc81fe1175bf1d5f63e21d696d72fe30b5aad78f63134196ee8f126721135"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIsNotNone` used but never assigned in __init__: Method `test_new_event_extracts_original_tuple_and_zero_reply_counters` of class `ParseEventLineTests` reads `self.assertIsNotNone`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 120682, "scanner": "repobility-ast-engine", "fingerprint": "51b40c56499289c7da0ba5a8da0f2455a4907071d2a705f8ca215df3917bd4a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|51b40c56499289c7da0ba5a8da0f2455a4907071d2a705f8ca215df3917bd4a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/connection-telemetry/test_connection_tailer.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 120681, "scanner": "repobility-journey-contract", "fingerprint": "9608f9dd0d221fc2bb1eae64a22837aec49836fef3191113c0e9c130f2edbecf", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|96|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/onboarding/pages/api-key-screen.tsx"}, "region": {"startLine": 96}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 120671, "scanner": "repobility-docker", "fingerprint": "da98d8daa804e5b8b869e89d94397f966c88312ea5b3ab2893628c2427b80f64", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|da98d8daa804e5b8b869e89d94397f966c88312ea5b3ab2893628c2427b80f64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/src/lib/egress/recording/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 120668, "scanner": "repobility-docker", "fingerprint": "35cf2558e78c1730b99969b85658d061bc0835ccc9a70df19d3eb3e0a844b5c3", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|35cf2558e78c1730b99969b85658d061bc0835ccc9a70df19d3eb3e0a844b5c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "credential-executor/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 120665, "scanner": "repobility-docker", "fingerprint": "72e487b79a3affb0853cd8ae69a0fbf6e9c2737895b470eded091c971a08002a", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|72e487b79a3affb0853cd8ae69a0fbf6e9c2737895b470eded091c971a08002a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/Dockerfile"}, "region": {"startLine": 234}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 120663, "scanner": "repobility-docker", "fingerprint": "3a3cc675b0c66594b1b7832abaf3bed60bd93dd14b66a9308a98c60c05a5d4de", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3a3cc675b0c66594b1b7832abaf3bed60bd93dd14b66a9308a98c60c05a5d4de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 120623, "scanner": "repobility-threat-engine", "fingerprint": "42bf0bc2340fb073889ccfaf099967e1d76bbdb716fa42e678ec9aa26f8bad1f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|42bf0bc2340fb073889ccfaf099967e1d76bbdb716fa42e678ec9aa26f8bad1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/runtime/middleware/rate-limiter.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC111", "level": "error", "message": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "properties": {"repobilityId": 120622, "scanner": "repobility-threat-engine", "fingerprint": "a6a0c04790db355c910421bcb79315befbff91c613b49ea64ed281ebc58b8c04", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "safeString(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC111", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a6a0c04790db355c910421bcb79315befbff91c613b49ea64ed281ebc58b8c04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/notifications/preference-summary.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 120621, "scanner": "repobility-threat-engine", "fingerprint": "0d7276ef5759cdc2064160207a2e30d65535bc793e68d3446110d67c9dd6c6d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0d7276ef5759cdc2064160207a2e30d65535bc793e68d3446110d67c9dd6c6d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/runtime/assistant-stream-state.ts"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 120620, "scanner": "repobility-threat-engine", "fingerprint": "caae6f7ee1a58622e5fc262adfc2b1554c5996e68288307fb8cdf9f4296973c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|caae6f7ee1a58622e5fc262adfc2b1554c5996e68288307fb8cdf9f4296973c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/memory/context-search/search.ts"}, "region": {"startLine": 260}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 120617, "scanner": "repobility-threat-engine", "fingerprint": "c270214df6f58434dc8f340b06c9e965bb2d16e6744a6f6697021d93ea7fba3b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(patternSource", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c270214df6f58434dc8f340b06c9e965bb2d16e6744a6f6697021d93ea7fba3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/ipc/skill-routes/registries.ts"}, "region": {"startLine": 234}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 120616, "scanner": "repobility-threat-engine", "fingerprint": "bbed36ccce81fad42bb8ac26bd9358b473c83a12fbed39c8d490659a2a980f8e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(dd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bbed36ccce81fad42bb8ac26bd9358b473c83a12fbed39c8d490659a2a980f8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/daemon/doordash-steps.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 120615, "scanner": "repobility-threat-engine", "fingerprint": "94c22704a78eeeb89e4ad6f292053a2d212f3578b7d2662642562aa1e0367a53", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n    entries", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|94c22704a78eeeb89e4ad6f292053a2d212f3578b7d2662642562aa1e0367a53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/daemon/dictation-text-processing.ts"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 120612, "scanner": "repobility-threat-engine", "fingerprint": "bb35eeeef4cfb3eabb5a0c19128b1a4f7fb2c204f4afac7c28107a5cb70e2819", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|11|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/config/bundled-skills/document-editor/tools/document-open.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 120610, "scanner": "repobility-threat-engine", "fingerprint": "4df8addfffdc27e96bc05119cc7bb1d6e49d32ce667f535c10f3f75fbaca1710", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4df8addfffdc27e96bc05119cc7bb1d6e49d32ce667f535c10f3f75fbaca1710"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/calls/twilio-provider.ts"}, "region": {"startLine": 315}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 120609, "scanner": "repobility-threat-engine", "fingerprint": "6d7bbe8d703ee7c20184d8479b1a1c69e10856f0dc29f606a66583db21e3c82f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d7bbe8d703ee7c20184d8479b1a1c69e10856f0dc29f606a66583db21e3c82f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/bundler/compiler-tools.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 120602, "scanner": "repobility-threat-engine", "fingerprint": "a5d2d8818a1d8b1299e1a1ff76748c55696967bfa82e2455cd4d6729bf090d16", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n      (p) =>\n        `<path d=\"${escapeAttr(p.svgPath)}\" fill=\"${escapeAttr(p.color)}\" transfor", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a5d2d8818a1d8b1299e1a1ff76748c55696967bfa82e2455cd4d6729bf090d16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/utils/avatar-svg-compositor.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 120601, "scanner": "repobility-threat-engine", "fingerprint": "916cc21a2d9218e96b2c5125e6da016fe8208b7ee40a559d3ed1cb2e7a27db1a", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((scheme) => `${scheme}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|916cc21a2d9218e96b2c5125e6da016fe8208b7ee40a559d3ed1cb2e7a27db1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/runtime/native-deep-link.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 120600, "scanner": "repobility-threat-engine", "fingerprint": "07cefaf06a6a785d3ebaba5c21562ff8deec7816ba7ecfe0c143b15eba7a1005", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n        (t) => `${t.label} (${t.sublabel}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|07cefaf06a6a785d3ebaba5c21562ff8deec7816ba7ecfe0c143b15eba7a1005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/domains/chat/hooks/use-onboarding-choice.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 120562, "scanner": "repobility-threat-engine", "fingerprint": "826ed6654b8c35f7c6de5ad53bf9b4e6b4397756fc69eeee2e840cf83fa2eb41", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|826ed6654b8c35f7c6de5ad53bf9b4e6b4397756fc69eeee2e840cf83fa2eb41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/components/avatar/animated-avatar.tsx"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 120561, "scanner": "repobility-threat-engine", "fingerprint": "cafb74246ca7bfb7c3db77005741488d436d743f046e4f689e910d53fefc56bf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(source", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cafb74246ca7bfb7c3db77005741488d436d743f046e4f689e910d53fefc56bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/eslint-rules/cross-domain-matchers.mjs"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 120560, "scanner": "repobility-threat-engine", "fingerprint": "822e6f228fab389a1072f4df2f4f5304b93df595df95244d20e6cb7232d4a2b5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(hex", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|822e6f228fab389a1072f4df2f4f5304b93df595df95244d20e6cb7232d4a2b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/macos/src/main/status-icon.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 120554, "scanner": "repobility-threat-engine", "fingerprint": "ea343dec40d4779412cbbc7f601bb7c6def11282443920a7b51eded69305d93e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "subscribers.delete(event.sender);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea343dec40d4779412cbbc7f601bb7c6def11282443920a7b51eded69305d93e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/macos/src/main/deep-links.ts"}, "region": {"startLine": 220}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 120553, "scanner": "repobility-threat-engine", "fingerprint": "ca0be7e002ed4abad96756c0aff2ec9ac59000b265fba015b46030ea0e4011ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "listeners.delete(listener);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ca0be7e002ed4abad96756c0aff2ec9ac59000b265fba015b46030ea0e4011ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/macos/src/main/avatar.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 120552, "scanner": "repobility-threat-engine", "fingerprint": "b5bb0a10e24a46bc3d38c42e96d0d7a4825a4cd549eda4ca6ee85b3dfcfca0d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "visiting.delete(pkgDir);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b5bb0a10e24a46bc3d38c42e96d0d7a4825a4cd549eda4ca6ee85b3dfcfca0d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/macos/scripts/install-file-deps.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 120550, "scanner": "repobility-threat-engine", "fingerprint": "2511d8014af40dd705aa115d867e98f91de707fa3fb85fa432a9f8d04c688376", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(g", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2511d8014af40dd705aa115d867e98f91de707fa3fb85fa432a9f8d04c688376"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/macos/src/main/app-origin.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 120549, "scanner": "repobility-threat-engine", "fingerprint": "863b3ee53cbc8164c18ba7513d930c85b74a101285928fb0ac8cede0f1a063f0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|863b3ee53cbc8164c18ba7513d930c85b74a101285928fb0ac8cede0f1a063f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/macos/src/main/about.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 120548, "scanner": "repobility-threat-engine", "fingerprint": "a489e522a90a289ffcf2885f39bab3f2d9850878bd55aa3b97e2e1a1e8925cbe", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a489e522a90a289ffcf2885f39bab3f2d9850878bd55aa3b97e2e1a1e8925cbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/macos/scripts/generate-icon.sh"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VELLUM_AUTOMATION_GITHUB_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VELLUM_AUTOMATION_GITHUB_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 120742, "scanner": "repobility-supply-chain", "fingerprint": "62f3db0126c2d107fb1c20d3e80daf6b14ff8c4fac8d6dacd61846c292e8f081", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62f3db0126c2d107fb1c20d3e80daf6b14ff8c4fac8d6dacd61846c292e8f081"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-macos.yaml"}, "region": {"startLine": 259}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VELLUM_AUTOMATION_GITHUB_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VELLUM_AUTOMATION_GITHUB_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 120741, "scanner": "repobility-supply-chain", "fingerprint": "5a31810646af63c7f3ae35bff31e01734a8b3da811c6c35f30b1a5c025d4818b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a31810646af63c7f3ae35bff31e01734a8b3da811c6c35f30b1a5c025d4818b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-macos.yaml"}, "region": {"startLine": 258}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VELLUM_AUTOMATION_GITHUB_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VELLUM_AUTOMATION_GITHUB_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 120740, "scanner": "repobility-supply-chain", "fingerprint": "dd26f61335c4dcc96bf617ce597dda386b948652a93e991741db7ae77c656631", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd26f61335c4dcc96bf617ce597dda386b948652a93e991741db7ae77c656631"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-macos.yaml"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VELLUM_AUTOMATION_GITHUB_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VELLUM_AUTOMATION_GITHUB_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 120739, "scanner": "repobility-supply-chain", "fingerprint": "c0107571a33f4ddea6cca67136e917b5d827133fdbef02cce6653daa9a9f4770", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c0107571a33f4ddea6cca67136e917b5d827133fdbef02cce6653daa9a9f4770"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-macos.yaml"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VELLUM_AUTOMATION_GITHUB_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VELLUM_AUTOMATION_GITHUB_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 120738, "scanner": "repobility-supply-chain", "fingerprint": "c5e9a54eaeb03f00c7ff620caaa12032292e93e8d5b55f54628e58b417ffa835", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c5e9a54eaeb03f00c7ff620caaa12032292e93e8d5b55f54628e58b417ffa835"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-assistant.yaml"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VELLUM_AUTOMATION_GITHUB_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VELLUM_AUTOMATION_GITHUB_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 120737, "scanner": "repobility-supply-chain", "fingerprint": "a6edf37c6dacdbbfdbd2a8bd822e20dc096afeb34d62a8a1ad5d7f067dab67e9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6edf37c6dacdbbfdbd2a8bd822e20dc096afeb34d62a8a1ad5d7f067dab67e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-assistant.yaml"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VELLUM_AUTOMATION_GITHUB_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VELLUM_AUTOMATION_GITHUB_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 120736, "scanner": "repobility-supply-chain", "fingerprint": "979beaa2cdd3bef49cd28c21d2b8cf6196d2081e0dc22768b35249ba7a842670", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|979beaa2cdd3bef49cd28c21d2b8cf6196d2081e0dc22768b35249ba7a842670"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cherry-pick-to-release.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VELLUM_AUTOMATION_GITHUB_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VELLUM_AUTOMATION_GITHUB_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 120735, "scanner": "repobility-supply-chain", "fingerprint": "6b9245d2e36cdcaa52d8895bfab4dec1f3a1855bb1127427b400647f11013feb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b9245d2e36cdcaa52d8895bfab4dec1f3a1855bb1127427b400647f11013feb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cherry-pick-to-release.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 120631, "scanner": "repobility-threat-engine", "fingerprint": "f2f078ba9660191a1a02ca105f6599a9ee6e182568d955106881ef7506aa0137", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2f078ba9660191a1a02ca105f6599a9ee6e182568d955106881ef7506aa0137"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/tasks/task-runner.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 120630, "scanner": "repobility-threat-engine", "fingerprint": "ceebf9cc61af955d77af533da6d8b23bd88eb67f6b64041b91b411035a283b95", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ceebf9cc61af955d77af533da6d8b23bd88eb67f6b64041b91b411035a283b95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "assistant/src/tasks/task-compiler.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 120566, "scanner": "repobility-threat-engine", "fingerprint": "9cf1ab5009bff302ede806cf29ef7f36ca5057ebe004e5aeab15f823aef09ecc", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|162|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/scripts/transform-daemon-spec.ts"}, "region": {"startLine": 162}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 120565, "scanner": "repobility-threat-engine", "fingerprint": "5e45c9a22e362f68a354e8e5d89db453c7cdc4310fe170c22c5552d4ad45f3e2", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(raw)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5e45c9a22e362f68a354e8e5d89db453c7cdc4310fe170c22c5552d4ad45f3e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/scripts/transform-daemon-spec.ts"}, "region": {"startLine": 162}}}]}]}]}