{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT014", "name": "Codex auth.json is read or copied without visible secret-file hardening", "shortDescription": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "fullDescription": {"text": "Tools that read or switch Codex CLI auth files handle OAuth/session material. Plain file copies, account switchers, and token readers should enforce narrow permissions and avoid printing or exporting token values."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "A frontend journey appears to ask for consent to share identity/KYC/biometric data, but backend code does not show a consent audit model with scope, purpose, legal text version, timestamp, IP, or user-agent evidence."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/362"}, "properties": {"repository": "stablyai/orca", "repoUrl": "https://github.com/stablyai/orca.git", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 11576, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 11575, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 11569, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 11567, "scanner": "repobility-threat-engine", "fingerprint": "d109d9fc54f3979a0d0e95fa24852337783233de10062fac14cc59748895f0cd", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|src/main/persistence.ts|455|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/persistence.ts"}, "region": {"startLine": 455}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 11566, "scanner": "repobility-threat-engine", "fingerprint": "8ea13f3755242ad47e469b4de7a7ac84cfd97d212264f27970c5525dedb03c85", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|427|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/src/terminal/TerminalWebView.tsx"}, "region": {"startLine": 427}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 11562, "scanner": "repobility-threat-engine", "fingerprint": "f4a5a5b657ef580318e9482d9a7dde4af0f914ee0f6337c2ac63be77402eded5", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "Math.random()", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|474|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/runtime/runtime-file-client.ts"}, "region": {"startLine": 474}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 11558, "scanner": "repobility-threat-engine", "fingerprint": "519aed8b52c3736e178b3500927cfdbdd42f8218e341de625922ac62756c3c88", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|519aed8b52c3736e178b3500927cfdbdd42f8218e341de625922ac62756c3c88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/app/h/[hostId]/session/[worktreeId].tsx"}, "region": {"startLine": 1614}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 11557, "scanner": "repobility-threat-engine", "fingerprint": "e5ed3febe339eda8349944b8160fb7df1626f46dce5cec06c4ebc8a671ef0900", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e5ed3febe339eda8349944b8160fb7df1626f46dce5cec06c4ebc8a671ef0900"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/app/h/[hostId]/index.tsx"}, "region": {"startLine": 509}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 11556, "scanner": "repobility-threat-engine", "fingerprint": "15a66347a9cfd9c4fdea72f98d598e41d5565bdd796ade6b654f3e5f9fffba9c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|15a66347a9cfd9c4fdea72f98d598e41d5565bdd796ade6b654f3e5f9fffba9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/app/index.tsx"}, "region": {"startLine": 119}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 11555, "scanner": "repobility-agent-runtime", "fingerprint": "ecfe50f3ffb8e5b2afcf2069c135bcb5f56f3672d19df6d38c30608c1a9beca3", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ecfe50f3ffb8e5b2afcf2069c135bcb5f56f3672d19df6d38c30608c1a9beca3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/runtime/runtime-rpc.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AGT014", "level": "warning", "message": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "properties": {"repobilityId": 11554, "scanner": "repobility-agent-runtime", "fingerprint": "07706da6b9b30221ed1b29d080e75591c29e0a8a480dfc7a2b51c3aad1fd8a1d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Codex auth.json or CODEX_HOME with read/copy/write behavior and no visible permission or secure-storage guard.", "evidence": {"rule_id": "AGT014", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|07706da6b9b30221ed1b29d080e75591c29e0a8a480dfc7a2b51c3aad1fd8a1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/opencode/hook-service.ts"}, "region": {"startLine": 426}}}]}, {"ruleId": "AGT014", "level": "warning", "message": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "properties": {"repobilityId": 11553, "scanner": "repobility-agent-runtime", "fingerprint": "33c023349c8b21d8dbb23f02435393591af0ce9c9bf4ee9cc412b3b676f12ca9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Codex auth.json or CODEX_HOME with read/copy/write behavior and no visible permission or secure-storage guard.", "evidence": {"rule_id": "AGT014", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|33c023349c8b21d8dbb23f02435393591af0ce9c9bf4ee9cc412b3b676f12ca9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/codex-accounts/service.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 11552, "scanner": "repobility-agent-runtime", "fingerprint": "80b70fc86c28b49ecf2259a2fd50b36fdb97f42026ea58887e7aa4b6ceaea23d", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|80b70fc86c28b49ecf2259a2fd50b36fdb97f42026ea58887e7aa4b6ceaea23d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/codex-accounts/runtime-home-service.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11551, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a2654643ebcae470362e93a4c4dbd269cacf890f99b0e77067a11028b8d7381d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/automations/service.ts", "duplicate_line": 92, "correlation_key": "fp|a2654643ebcae470362e93a4c4dbd269cacf890f99b0e77067a11028b8d7381d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/claude-usage/store.ts"}, "region": {"startLine": 585}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11550, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8be3f15efa8c757c6db9ab0cc5cf9283c07379923fa904d6bdaf2cfb56b81068", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/src/components/CustomKeyModal.tsx", "duplicate_line": 218, "correlation_key": "fp|8be3f15efa8c757c6db9ab0cc5cf9283c07379923fa904d6bdaf2cfb56b81068"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/src/components/PickerModal.tsx"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11549, "scanner": "repobility-ai-code-hygiene", "fingerprint": "87fdd5d950c6d9f1790b6f0d53c164774e37668d186fd375bbc9bc419f84b4aa", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/src/components/ActionSheetModal.tsx", "duplicate_line": 79, "correlation_key": "fp|87fdd5d950c6d9f1790b6f0d53c164774e37668d186fd375bbc9bc419f84b4aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/src/components/PickerModal.tsx"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11548, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d2320f502c325b84eec2eaf41824c4a6bcc08b69e92d5f3bea4bf8fca4367a24", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/scripts/repro-terminal-colors.ts", "duplicate_line": 47, "correlation_key": "fp|d2320f502c325b84eec2eaf41824c4a6bcc08b69e92d5f3bea4bf8fca4367a24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/scripts/test-subscribe.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11547, "scanner": "repobility-ai-code-hygiene", "fingerprint": "21e85bc398fdbbe55e8201da68714976532ad54fa1134686471fcc02a8d56412", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/scripts/repro-terminal-colors.ts", "duplicate_line": 11, "correlation_key": "fp|21e85bc398fdbbe55e8201da68714976532ad54fa1134686471fcc02a8d56412"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/scripts/repro-worktree-startup-stream.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11546, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cc7e636fd3b6400fe6bc9d86d0df3f747101b2ecf146dae0b7eceb61965c29dd", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/app/about.tsx", "duplicate_line": 86, "correlation_key": "fp|cc7e636fd3b6400fe6bc9d86d0df3f747101b2ecf146dae0b7eceb61965c29dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/app/troubleshoot.tsx"}, "region": {"startLine": 302}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11545, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3750091146981c81462aeee4c39af00130ba409409def5e35fb5aae759c6292a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/app/terminal-settings.tsx", "duplicate_line": 191, "correlation_key": "fp|3750091146981c81462aeee4c39af00130ba409409def5e35fb5aae759c6292a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/app/troubleshoot.tsx"}, "region": {"startLine": 301}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11544, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a2c51050b5c21084a7fd3b84e58ba7fae4a7e47b29a9515bf7cf29fe9808dfd4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/app/about.tsx", "duplicate_line": 86, "correlation_key": "fp|a2c51050b5c21084a7fd3b84e58ba7fae4a7e47b29a9515bf7cf29fe9808dfd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/app/terminal-settings.tsx"}, "region": {"startLine": 192}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11543, "scanner": "repobility-ai-code-hygiene", "fingerprint": "985319742fbbd306f143adae0a55ab2e4f188a72f0e00941c9d7aa4adf8aff15", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/app/about.tsx", "duplicate_line": 73, "correlation_key": "fp|985319742fbbd306f143adae0a55ab2e4f188a72f0e00941c9d7aa4adf8aff15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/app/settings.tsx"}, "region": {"startLine": 80}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11542, "scanner": "repobility-ai-code-hygiene", "fingerprint": "23eba6cfa800ecce635127de4c22314539469e75686e2b9e4ba153f10f0d72d8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/app/notifications.tsx", "duplicate_line": 97, "correlation_key": "fp|23eba6cfa800ecce635127de4c22314539469e75686e2b9e4ba153f10f0d72d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/app/settings.tsx"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11541, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0bc42c42c5100369a818bd923b2ed76f556e9ce9546c4e7652492669f338cfb1", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/app/pair-confirm.tsx", "duplicate_line": 39, "correlation_key": "fp|0bc42c42c5100369a818bd923b2ed76f556e9ce9546c4e7652492669f338cfb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/app/pair-scan.tsx"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11540, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa9edc9db719a34051ef159d465fad8cc487d3ca58ed5ad8c6165cd9cfa7aaa8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/app/about.tsx", "duplicate_line": 73, "correlation_key": "fp|fa9edc9db719a34051ef159d465fad8cc487d3ca58ed5ad8c6165cd9cfa7aaa8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/app/notifications.tsx"}, "region": {"startLine": 98}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 11574, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 11573, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 11572, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 11571, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 11539, "scanner": "repobility-ai-code-hygiene", "fingerprint": "81f226a268537d3c1cd341147315bcbd17c1fb29077c7f0bd8556fe08a3928bf", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "alt", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|81f226a268537d3c1cd341147315bcbd17c1fb29077c7f0bd8556fe08a3928bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/lib/keyboard-layout/use-effective-mac-option-as-alt.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 11538, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fdf377d9dfab2a24973e1362b6717ec38a3ab0e8bf48502ead764fab0bbe8248", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "alt", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|fdf377d9dfab2a24973e1362b6717ec38a3ab0e8bf48502ead764fab0bbe8248"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/lib/keyboard-layout/detect-option-as-alt.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 11537, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e32df5e6ae61f2fec9a2930afbbe7993a4b24921407838841786ab4d0c002dbf", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|e32df5e6ae61f2fec9a2930afbbe7993a4b24921407838841786ab4d0c002dbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/lib/sparse-preset-draft.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 11536, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d411b331f861d4e4beaee2c1ccbb84fcd75af5aba0edcea9b19fd74c963f9f8c", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|d411b331f861d4e4beaee2c1ccbb84fcd75af5aba0edcea9b19fd74c963f9f8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/lib/agent-paste-draft.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 11535, "scanner": "repobility-ai-code-hygiene", "fingerprint": "92495fd30498fc27f857539d3063caaf35391a1edf98df049a14b8ed2f837265", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "copy", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|92495fd30498fc27f857539d3063caaf35391a1edf98df049a14b8ed2f837265"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/components/editor/setup-contextual-copy.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 11534, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ad8c49b7b10eb3eebbef609ccfe444f83c3f81ed5effc13d31aea9a7bd026da", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "copy", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|4ad8c49b7b10eb3eebbef609ccfe444f83c3f81ed5effc13d31aea9a7bd026da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/components/editor/selection-copy.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 11568, "scanner": "repobility-threat-engine", "fingerprint": "ecd7d28235d092827951c100af5030a8b20c33bbfa8c091ac8532b5114e3f047", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Sanitization detected ('sanitize') \u2014 output is likely sanitized", "evidence": {"match": ".innerHTML = D", "reason": "Sanitization detected ('sanitize') \u2014 output is likely sanitized", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|token|60|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/renderer/src/components/editor/MermaidBlock.tsx"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 11565, "scanner": "repobility-threat-engine", "fingerprint": "7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 11564, "scanner": "repobility-threat-engine", "fingerprint": "b79b3868d4faa2008070ba9256d8ba3fa36b1ecb51203b3eacdd4cfe27d6bc6a", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|src/main/persistence.ts|1477|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/persistence.ts"}, "region": {"startLine": 1477}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 11563, "scanner": "repobility-threat-engine", "fingerprint": "3f3bc5ddf6232853703cf063bdea558fc2c31d09cbe1aad03c1da8bbd3b49d9a", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|40|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/src/hooks/use-mobile-dictation.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 11561, "scanner": "repobility-threat-engine", "fingerprint": "548c8c00dd778dddc9845c565e6e493264476d213c836f335022d48180adb2cd", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.debug(prefix + token + ':' + JSON.stringify(readViewport()", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|13|console.debug prefix + token + : + json.stringify readviewport"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/browser-annotation-viewport-bridge.ts"}, "region": {"startLine": 135}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 11559, "scanner": "repobility-threat-engine", "fingerprint": "0aa9dc49795a1907c3853ff388053ca770d08e8348ca7a50a7dc711483ad1ae4", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0aa9dc49795a1907c3853ff388053ca770d08e8348ca7a50a7dc711483ad1ae4"}}}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 11570, "scanner": "repobility-journey-contract", "fingerprint": "2491288700f8927424482ce82d890b7425f1124d9e07bbfbfd281a385673d4a9", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|37|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/telemetry/client.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 11560, "scanner": "repobility-threat-engine", "fingerprint": "10ab2ea4d224c3bff671dfd300e85f5a6bc665c6323ac1d96473ac08d90ecf4f", "category": "credential_exposure", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Console output includes a credential-bearing template expression.", "evidence": {"match": "console.log(`[mock] Auth token: <redacted>}`)", "reason": "Console output includes a credential-bearing template expression.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.92, "correlation_key": "secret|token|31|console.log mock auth token: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/scripts/mock-server.ts"}, "region": {"startLine": 319}}}]}]}]}