{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Store the interval id and return a useEffect cleanup that calls clearInterval. Also clear the interval in explicit stop/end handlers when relevant."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 20 more): Same pattern found in 20 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run", "shortDescription": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) "}, "fullDescription": {"text": "Replace with: `uses: pnpm/action-setup@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `uWebSockets.js` pulled from URL/Git: `dependencies.uWebSockets.js` = `github:uNetworking/uW", "shortDescription": {"text": "[MINED122] package.json dep `uWebSockets.js` pulled from URL/Git: `dependencies.uWebSockets.js` = `github:uNetworking/uWebSockets.js#v20.66.0` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If t"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /api/report_error has no auth: Express route POST /api/report_error declared without an auth mid", "shortDescription": {"text": "[MINED113] Express POST /api/report_error has no auth: Express route POST /api/report_error declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 b"}, "fullDescription": {"text": "Add an auth middleware: app.post('/api/report_error', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1116"}, "properties": {"repository": "survev/survev", "repoUrl": "https://github.com/survev/survev", "branch": "master"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 110387, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 110386, "scanner": "repobility-agent-runtime", "fingerprint": "224f81da04075ca0ffe4386a5df1ce1f36165fd4bd78bbdfb18ca517c6a70eee", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|224f81da04075ca0ffe4386a5df1ce1f36165fd4bd78bbdfb18ca517c6a70eee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/teamMenu.ts"}, "region": {"startLine": 373}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 110385, "scanner": "repobility-agent-runtime", "fingerprint": "993ecf94720ad24f36d41c9f3bc30086647889ae9dadc2275fd4d4af6ec79957", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|993ecf94720ad24f36d41c9f3bc30086647889ae9dadc2275fd4d4af6ec79957"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/stressTest.ts"}, "region": {"startLine": 448}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 110384, "scanner": "repobility-agent-runtime", "fingerprint": "46265f87fb7e8058ae5bd0638e9f80e34f36f26fb1b0f74eaed28a5f862fb677", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|46265f87fb7e8058ae5bd0638e9f80e34f36f26fb1b0f74eaed28a5f862fb677"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/gameServer.ts"}, "region": {"startLine": 417}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 110383, "scanner": "repobility-agent-runtime", "fingerprint": "aeeb1b1346d803badff536d2bb335650ea8244152323212727d0422434b68656", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|aeeb1b1346d803badff536d2bb335650ea8244152323212727d0422434b68656"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/api/index.ts"}, "region": {"startLine": 208}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 110382, "scanner": "repobility-agent-runtime", "fingerprint": "51ac3e81dca6cbdaac355f3dbb4b422128ed47957dd5430453a14426569f8b05", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|51ac3e81dca6cbdaac355f3dbb4b422128ed47957dd5430453a14426569f8b05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/device.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 110381, "scanner": "repobility-agent-runtime", "fingerprint": "17a11365a7f308f12ee38eb00e56c51f02b57e901ed560e2a1085a618388311f", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|17a11365a7f308f12ee38eb00e56c51f02b57e901ed560e2a1085a618388311f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/config.ts"}, "region": {"startLine": 159}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 110349, "scanner": "repobility-threat-engine", "fingerprint": "9584305399e315c5ef7be1dc3b9ddfb360decc6de77cddb94f2f5132c1eea940", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|shared/utils/util.ts|256|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/utils/util.ts"}, "region": {"startLine": 256}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 110341, "scanner": "repobility-threat-engine", "fingerprint": "32674f7df51e81451e138cd2052f250f852ab776ca1a2e959e952f8ba5ee7bd7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * (max - min) + min);\n    }\n\n    private getStartPoint(isFactionRiv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|32674f7df51e81451e138cd2052f250f852ab776ca1a2e959e952f8ba5ee7bd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/game/riverCreator.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 110340, "scanner": "repobility-threat-engine", "fingerprint": "1db87a5f5f581b5b0a667ae0ad08ed9d47cf843a2f7d82e64035f62918fe95dc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ive = false;\n    zIdx = 0;\n    sprite = PIXI.Sprite.from(particles[Math.floor(Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1db87a5f5f581b5b0a667ae0ad08ed9d47cf843a2f7d82e64035f62918fe95dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/objects/smoke.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 110339, "scanner": "repobility-threat-engine", "fingerprint": "879e89215f370c4cdc57f592471d9867952d1c514491c088fd3aa303fd12c6c6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() <= 0.01;\n    }\n\n    priv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|879e89215f370c4cdc57f592471d9867952d1c514491c088fd3aa303fd12c6c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/errorLogs.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 110337, "scanner": "repobility-threat-engine", "fingerprint": "c9f73cbe10c3d062b126406a7602a7dc69a87595c144456db129bb63420b942c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c9f73cbe10c3d062b126406a7602a7dc69a87595c144456db129bb63420b942c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/helpers.ts"}, "region": {"startLine": 156}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 110336, "scanner": "repobility-threat-engine", "fingerprint": "b794ca3249b9544afe84c999ee1766c6a86cf55db3e770db7c88da3e74aaeb7c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b794ca3249b9544afe84c999ee1766c6a86cf55db3e770db7c88da3e74aaeb7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/device.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 110335, "scanner": "repobility-threat-engine", "fingerprint": "985254284df501cea0dd44ced16879755d4fb2007204d66a3d0688ac82e1adaf", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|985254284df501cea0dd44ced16879755d4fb2007204d66a3d0688ac82e1adaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/config.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 110388, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110380, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b8e485de7898124c9e2739e8f7c5e3540c323fa1cf344a3430a71e8a5d2c492a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/snowDefs.ts", "duplicate_line": 176, "correlation_key": "fp|b8e485de7898124c9e2739e8f7c5e3540c323fa1cf344a3430a71e8a5d2c492a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/woodsSnowDefs.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110379, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74ebabd598f271ca4ba18ae319a61b061010434e79aa1b7743a9713b1de16234", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/desertDefs.ts", "duplicate_line": 209, "correlation_key": "fp|74ebabd598f271ca4ba18ae319a61b061010434e79aa1b7743a9713b1de16234"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/woodsDefs.ts"}, "region": {"startLine": 177}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110378, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bf32f1937f4593f6edc75f10bc72c2db91fa573ca916d97a3db532e7dc6eaa97", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/baseDefs.ts", "duplicate_line": 53, "correlation_key": "fp|bf32f1937f4593f6edc75f10bc72c2db91fa573ca916d97a3db532e7dc6eaa97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/woodsDefs.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110377, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e1384380f0c15dfa6a5d00865f22e207175826548a89dd807007497cd47c3a0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/baseDefs.ts", "duplicate_line": 235, "correlation_key": "fp|4e1384380f0c15dfa6a5d00865f22e207175826548a89dd807007497cd47c3a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/snowDefs.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110376, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d56273f0256a86701b6e2800eae34213f7998da8e6d529b50ada2c44f984839f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/baseDefs.ts", "duplicate_line": 839, "correlation_key": "fp|d56273f0256a86701b6e2800eae34213f7998da8e6d529b50ada2c44f984839f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/savannahDefs.ts"}, "region": {"startLine": 222}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110375, "scanner": "repobility-ai-code-hygiene", "fingerprint": "931d939fd0a9ade1aeacf87a294f3ed57300798ee5d974ada500fd0298eea92b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/baseDefs.ts", "duplicate_line": 839, "correlation_key": "fp|931d939fd0a9ade1aeacf87a294f3ed57300798ee5d974ada500fd0298eea92b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/potatoSpringDefs.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110374, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5a049b5b8fdcc2873569259f72cdbf4f9ba6f5a7ee9e2c080389b2f75b8d2309", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/mainSpringDefs.ts", "duplicate_line": 11, "correlation_key": "fp|5a049b5b8fdcc2873569259f72cdbf4f9ba6f5a7ee9e2c080389b2f75b8d2309"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/potatoSpringDefs.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110373, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5cd440bb0655f0a9e7ad881448c07410165cda31166bcd9df35b2050826e610c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/potatoDefs.ts", "duplicate_line": 14, "correlation_key": "fp|5cd440bb0655f0a9e7ad881448c07410165cda31166bcd9df35b2050826e610c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/potatoSpringDefs.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110372, "scanner": "repobility-ai-code-hygiene", "fingerprint": "313181d71b386273bd8426ffd9adc8417c795ef39d2837509e4f5edcf64cf067", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/cobaltDefs.ts", "duplicate_line": 125, "correlation_key": "fp|313181d71b386273bd8426ffd9adc8417c795ef39d2837509e4f5edcf64cf067"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/potatoDefs.ts"}, "region": {"startLine": 188}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110371, "scanner": "repobility-ai-code-hygiene", "fingerprint": "95118ea04ea9b124ca35ee7d0e7e228bffeb8b79351b72259d5cdea8ae326627", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/factionPotatoDefs.ts", "duplicate_line": 255, "correlation_key": "fp|95118ea04ea9b124ca35ee7d0e7e228bffeb8b79351b72259d5cdea8ae326627"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/potatoDefs.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110370, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e740b9fe8eb7242007ee5e0d09c11fc5f7f8a9ee5e52816110a2cd226f59f68f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/baseDefs.ts", "duplicate_line": 53, "correlation_key": "fp|e740b9fe8eb7242007ee5e0d09c11fc5f7f8a9ee5e52816110a2cd226f59f68f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/potatoDefs.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110369, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f98d9daa2a20fe0b14911eb648d8398339f35d35a59e3409b9b70f5d05c2e86", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/mainSummerDefs.ts", "duplicate_line": 7, "correlation_key": "fp|4f98d9daa2a20fe0b14911eb648d8398339f35d35a59e3409b9b70f5d05c2e86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/potatoDefs.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110368, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ea31bd4ea32a4ff271fdce373f237de38e13d496eeb6dac6fb13123e33a97f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/mainSpringDefs.ts", "duplicate_line": 34, "correlation_key": "fp|4ea31bd4ea32a4ff271fdce373f237de38e13d496eeb6dac6fb13123e33a97f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/mainSummerDefs.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110367, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4cdef550b7862ea2ae25575bc911db7b556a048ca9c41401be2ff75e5aecc36f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/baseDefs.ts", "duplicate_line": 19, "correlation_key": "fp|4cdef550b7862ea2ae25575bc911db7b556a048ca9c41401be2ff75e5aecc36f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/mainSummerDefs.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110366, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0875a5e36ee9d83f77faf2e5cb66f253f4f4d35e1ea46209642121f9207a9c95", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/baseDefs.ts", "duplicate_line": 838, "correlation_key": "fp|0875a5e36ee9d83f77faf2e5cb66f253f4f4d35e1ea46209642121f9207a9c95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/mainSpringDefs.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110365, "scanner": "repobility-ai-code-hygiene", "fingerprint": "df37c9162a508bd7ed987d893b9c4466ce94bd410db5329b877f5aa4a6efaca2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/desertDefs.ts", "duplicate_line": 208, "correlation_key": "fp|df37c9162a508bd7ed987d893b9c4466ce94bd410db5329b877f5aa4a6efaca2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/halloweenDefs.ts"}, "region": {"startLine": 199}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110364, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0cdc4ecf464c8d3fb04b22d084d2d7a72f4db10b5219c7a2a2798c59517c76b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/factionDefs.ts", "duplicate_line": 288, "correlation_key": "fp|b0cdc4ecf464c8d3fb04b22d084d2d7a72f4db10b5219c7a2a2798c59517c76b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/halloweenDefs.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110363, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f6542c86abb699f169f4f63d7b725adfddf7b85d3d4e7d2864eb00b0adbca5fd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/baseDefs.ts", "duplicate_line": 52, "correlation_key": "fp|f6542c86abb699f169f4f63d7b725adfddf7b85d3d4e7d2864eb00b0adbca5fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/halloweenDefs.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110362, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1123498b26ed11788a9f76047204d63acc2564fe66d2aa31ed97f074043f4b19", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/factionDefs.ts", "duplicate_line": 22, "correlation_key": "fp|1123498b26ed11788a9f76047204d63acc2564fe66d2aa31ed97f074043f4b19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/factionPotatoDefs.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110361, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1d645454a1e7b58b5bf0dd0b3077ff5ca42c7d69fde4744f6815b60888bbf3ca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/baseDefs.ts", "duplicate_line": 235, "correlation_key": "fp|1d645454a1e7b58b5bf0dd0b3077ff5ca42c7d69fde4744f6815b60888bbf3ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/factionDefs.ts"}, "region": {"startLine": 241}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110360, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ccebbf278d76cd71b640ede1e6ca1b0daf73072e860164334be95cff3274f986", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/desertDefs.ts", "duplicate_line": 58, "correlation_key": "fp|ccebbf278d76cd71b640ede1e6ca1b0daf73072e860164334be95cff3274f986"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/factionDefs.ts"}, "region": {"startLine": 239}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110359, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b369bb2a9b46b4dee91dfa10844dd0836d7b9804ae48b52468968e9c8b67681e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/baseDefs.ts", "duplicate_line": 53, "correlation_key": "fp|b369bb2a9b46b4dee91dfa10844dd0836d7b9804ae48b52468968e9c8b67681e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/desertDefs.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110358, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88e0cd77429ae7a1781b8e0882043b8e28e764cfc06b05fb379aff1ad0726d2b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/baseDefs.ts", "duplicate_line": 838, "correlation_key": "fp|88e0cd77429ae7a1781b8e0882043b8e28e764cfc06b05fb379aff1ad0726d2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/cobaltDefs.ts"}, "region": {"startLine": 123}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110357, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ec0e8eb29421da18854b628e55576d51001a299de19393b99f5d7be05bce2fe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/baseDefs.ts", "duplicate_line": 33, "correlation_key": "fp|0ec0e8eb29421da18854b628e55576d51001a299de19393b99f5d7be05bce2fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/birthdayDefs.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110356, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d65fbb8fa4f7cd042d597e50f06f9413a143719dca4047d7f8a8b8b2d220902", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "shared/defs/maps/baseDefs.ts", "duplicate_line": 56, "correlation_key": "fp|8d65fbb8fa4f7cd042d597e50f06f9413a143719dca4047d7f8a8b8b2d220902"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/defs/maps/beachDefs.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110355, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c054a86401202b4a30bc442c46df905951d7244fc61557587df8c1f1a4048067", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/api/routes/user/auth/discord.ts", "duplicate_line": 31, "correlation_key": "fp|c054a86401202b4a30bc442c46df905951d7244fc61557587df8c1f1a4048067"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/api/routes/user/auth/google.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110354, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0396f72ec1ac4330a42c74ca2f3800baaa0c73aa0d3517c6acd9c62342a10b43", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/ui/menu.ts", "duplicate_line": 24, "correlation_key": "fp|0396f72ec1ac4330a42c74ca2f3800baaa0c73aa0d3517c6acd9c62342a10b43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ui/teamMenu.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110353, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1d87f5fda9af0a4148bbab8c469ce51c0ec059b42b62bc8de780b391b465b456", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/building-editor/src/editorDisplay.ts", "duplicate_line": 27, "correlation_key": "fp|1d87f5fda9af0a4148bbab8c469ce51c0ec059b42b62bc8de780b391b465b456"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ui/opponentDisplay.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110352, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b8b1751a0f9d6fb8686a34708618f0ef03b7031765539bb8c2b09ed2c34f06ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/building-editor/src/main.ts", "duplicate_line": 67, "correlation_key": "fp|b8b1751a0f9d6fb8686a34708618f0ef03b7031765539bb8c2b09ed2c34f06ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/main.ts"}, "region": {"startLine": 281}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110351, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a94dc11275a02c85f989751efccd4eb05e5f285010238464b5b685c05cc1ea4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/building-editor/src/editorUi.ts", "duplicate_line": 186, "correlation_key": "fp|a94dc11275a02c85f989751efccd4eb05e5f285010238464b5b685c05cc1ea4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/debug/editor.ts"}, "region": {"startLine": 225}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 110346, "scanner": "repobility-threat-engine", "fingerprint": "7c55df1f74222a1473c0f9c048f7cf6fa4e513a09bc4713e343bbfedf2c0592b", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|50|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/api/routes/user/auth/authUtils.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 110345, "scanner": "repobility-threat-engine", "fingerprint": "a2bbb982fe79ab714ae72ae0d72bf60a3f1ec080581e3328b674186ebdd3e018", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|332|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/api/routes/private/private.ts"}, "region": {"startLine": 332}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 110344, "scanner": "repobility-threat-engine", "fingerprint": "b7e064856dd9e3572b869bb0088d7c1b65bba8a17f5cba3aec37da7de3e7672b", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|server/src/api/db/seed.ts|164|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/api/db/seed.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 110343, "scanner": "repobility-threat-engine", "fingerprint": "5e925a8fabab6d1d0525ed854fb1eab476f30a32a9e23b35a27d9734ff3d28a1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5e925a8fabab6d1d0525ed854fb1eab476f30a32a9e23b35a27d9734ff3d28a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 110342, "scanner": "repobility-threat-engine", "fingerprint": "df480f3aa363d5dcd9e48385eb08e73b3730ee9a811ed5f77b2c2f8c3ef3094f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|df480f3aa363d5dcd9e48385eb08e73b3730ee9a811ed5f77b2c2f8c3ef3094f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/vite.config.mts"}, "region": {"startLine": 51}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 110338, "scanner": "repobility-threat-engine", "fingerprint": "e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 110334, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 110330, "scanner": "repobility-threat-engine", "fingerprint": "8323284e71c0a31a05bed90ab17738fa73ec0ef9ce708f2be963d66c42fd127f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8323284e71c0a31a05bed90ab17738fa73ec0ef9ce708f2be963d66c42fd127f", "aggregated_count": 11}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 110329, "scanner": "repobility-threat-engine", "fingerprint": "8a49f22a145e0f368d083b566bfc748e8df429af4804b1d41211a8f40b5e8137", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8a49f22a145e0f368d083b566bfc748e8df429af4804b1d41211a8f40b5e8137"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/objects/objectPool.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 110328, "scanner": "repobility-threat-engine", "fingerprint": "ea33ca9ad3c6ff2ee88241995187148701309859b853fc93e4d1d377f67ac824", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea33ca9ad3c6ff2ee88241995187148701309859b853fc93e4d1d377f67ac824"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/inputBinds.ts"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 110327, "scanner": "repobility-threat-engine", "fingerprint": "26c0fec8118007715e583e012907863f9a45e385f3ccb2556b1ec23a1d1d37d0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|26c0fec8118007715e583e012907863f9a45e385f3ccb2556b1ec23a1d1d37d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ambiance.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 110326, "scanner": "repobility-threat-engine", "fingerprint": "b716e452fc69f198dd09d9395b6a9646e9c76178cc7a871b1d6ec822f8589b1c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b716e452fc69f198dd09d9395b6a9646e9c76178cc7a871b1d6ec822f8589b1c"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 110322, "scanner": "repobility-threat-engine", "fingerprint": "66d1c495d3abeafc78c296b019533eff1a61e26af1157450445281d1d91a242d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|66d1c495d3abeafc78c296b019533eff1a61e26af1157450445281d1d91a242d", "aggregated_count": 20}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 110321, "scanner": "repobility-threat-engine", "fingerprint": "f9e1b8a5c795974e551350eecd0c38354780e6d2de9573de8f386a26d9dc8454", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f9e1b8a5c795974e551350eecd0c38354780e6d2de9573de8f386a26d9dc8454"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/atlas-builder/vitePlugin.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 110320, "scanner": "repobility-threat-engine", "fingerprint": "ab11a5d1b75b6f8ce842cbb5be2d01adcaec61602a6dc786bb5b98e3013e47ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ab11a5d1b75b6f8ce842cbb5be2d01adcaec61602a6dc786bb5b98e3013e47ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/atlas-builder/imageWorker.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 110319, "scanner": "repobility-threat-engine", "fingerprint": "c948f1983a9a32ed32f6efedb6181740062c2e655288d0d591812dbd02070740", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c948f1983a9a32ed32f6efedb6181740062c2e655288d0d591812dbd02070740"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/atlas-builder/atlasWorker.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 110316, "scanner": "repobility-threat-engine", "fingerprint": "729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "aggregated_count": 1}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 110315, "scanner": "repobility-threat-engine", "fingerprint": "6afb10704c15d4b5f39d628a846497d33be6e73788a6722c4794066cd6bfb4cc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6afb10704c15d4b5f39d628a846497d33be6e73788a6722c4794066cd6bfb4cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ui/localization.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 110314, "scanner": "repobility-threat-engine", "fingerprint": "7819d083838cd73d930df939794b774f69cced1ea4418e3b3a85e10a5898aea7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7819d083838cd73d930df939794b774f69cced1ea4418e3b3a85e10a5898aea7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/config.ts"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 110313, "scanner": "repobility-threat-engine", "fingerprint": "4dca7f91dd22669e3b135e34614d42db91c9d15088545daf05e9204c9db41586", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4dca7f91dd22669e3b135e34614d42db91c9d15088545daf05e9204c9db41586"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bot/src/commands/helpers.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 110312, "scanner": "repobility-threat-engine", "fingerprint": "19db4fe564a2b059c67992f23d769c86144af0f9934b0a0ae0c2f4e772a27097", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|19db4fe564a2b059c67992f23d769c86144af0f9934b0a0ae0c2f4e772a27097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/utils/util.ts"}, "region": {"startLine": 297}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 110311, "scanner": "repobility-threat-engine", "fingerprint": "eeace1ad041174b9cc1ea340b36e15e40e7b17d227349bdc5936c15cb7364224", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eeace1ad041174b9cc1ea340b36e15e40e7b17d227349bdc5936c15cb7364224"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ui/localization.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 110310, "scanner": "repobility-threat-engine", "fingerprint": "178101d3320ea4a7e4f89c6da480c70e6ea46a69aa67dfac3ed2c53afef76716", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|178101d3320ea4a7e4f89c6da480c70e6ea46a69aa67dfac3ed2c53afef76716"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bot/src/commands/helpers.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110416, "scanner": "repobility-supply-chain", "fingerprint": "f0f0c165cee25d09de827261008278fc70c221369b93d2ccf04c6d983e74060a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0f0c165cee25d09de827261008278fc70c221369b93d2ccf04c6d983e74060a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/server.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110415, "scanner": "repobility-supply-chain", "fingerprint": "67c37f452c7ae568808f57d8b566405e2d74603bd66390ff61ceb851cfcc018c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67c37f452c7ae568808f57d8b566405e2d74603bd66390ff61ceb851cfcc018c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/server.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110414, "scanner": "repobility-supply-chain", "fingerprint": "da231ef07e9f6cfe5b0df8ac7f40c25b071b2fba9cc463b80baa561817d8c9e7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|da231ef07e9f6cfe5b0df8ac7f40c25b071b2fba9cc463b80baa561817d8c9e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/server.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110413, "scanner": "repobility-supply-chain", "fingerprint": "d91522e01eaa49f9edd4ab42d9c0dcc43ad811658faeed04af656dc33a94dc0c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d91522e01eaa49f9edd4ab42d9c0dcc43ad811658faeed04af656dc33a94dc0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110412, "scanner": "repobility-supply-chain", "fingerprint": "f41440f8bd92af3ad78f7cb74b3f15d21013ee5883af248203e431458d77a505", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f41440f8bd92af3ad78f7cb74b3f15d21013ee5883af248203e431458d77a505"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110411, "scanner": "repobility-supply-chain", "fingerprint": "988cb914a2e94405daef2a3bff91d2a557792587a677e398cb3e575c3457d980", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|988cb914a2e94405daef2a3bff91d2a557792587a677e398cb3e575c3457d980"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/save` pinned to mutable ref `@v4`: `uses: actions/cache/save@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110410, "scanner": "repobility-supply-chain", "fingerprint": "cd252b8e26d1b2e62ffb86fd50499fd58a36f4b698457fa7a59c6f0035f017c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd252b8e26d1b2e62ffb86fd50499fd58a36f4b698457fa7a59c6f0035f017c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/client.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110409, "scanner": "repobility-supply-chain", "fingerprint": "ad087a0e714c334e4c0cd72dc842ad118ad9bdce39299ccf2b264993fb50c2c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad087a0e714c334e4c0cd72dc842ad118ad9bdce39299ccf2b264993fb50c2c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/client.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110408, "scanner": "repobility-supply-chain", "fingerprint": "3e93543d8e4d211447ec2640488630a192c780b5b4fb8be06bee2968a8936021", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e93543d8e4d211447ec2640488630a192c780b5b4fb8be06bee2968a8936021"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/client.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110407, "scanner": "repobility-supply-chain", "fingerprint": "7b0b7869ff8859966e61095080e282fc24acb17ea0a8b729413fa4b7402042ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7b0b7869ff8859966e61095080e282fc24acb17ea0a8b729413fa4b7402042ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/client.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110406, "scanner": "repobility-supply-chain", "fingerprint": "63a9e9affd39b5c589fe827d99760d5790b1104fa53c692dabc9f93f244d8c13", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|63a9e9affd39b5c589fe827d99760d5790b1104fa53c692dabc9f93f244d8c13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/client.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110405, "scanner": "repobility-supply-chain", "fingerprint": "20e1a79c2d7024ef1dc5228b26ceadaf0ad82c9a384850e84b993773da9cb998", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20e1a79c2d7024ef1dc5228b26ceadaf0ad82c9a384850e84b993773da9cb998"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cloudflare/wrangler-action` pinned to mutable ref `@v3`: `uses: cloudflare/wrangler-action@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110404, "scanner": "repobility-supply-chain", "fingerprint": "9bac90cebb99a416f5d964be772f297b5199c9f0f980754a75b63edc38dade87", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9bac90cebb99a416f5d964be772f297b5199c9f0f980754a75b63edc38dade87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/save` pinned to mutable ref `@v4`: `uses: actions/cache/save@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110403, "scanner": "repobility-supply-chain", "fingerprint": "37d492ab8ec9aa5947c3451f751f9a9e345bc520ae021ea7dde59c09bf1ede36", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37d492ab8ec9aa5947c3451f751f9a9e345bc520ae021ea7dde59c09bf1ede36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110402, "scanner": "repobility-supply-chain", "fingerprint": "4490e0ec858acf4860a125bc8148da70b43069b0b43fefd5a325f7454b85b717", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4490e0ec858acf4860a125bc8148da70b43069b0b43fefd5a325f7454b85b717"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110401, "scanner": "repobility-supply-chain", "fingerprint": "981b11eb8e8efa6171b07f5b5cae5287dc29d443725cf44959d5d5de92d4d7c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|981b11eb8e8efa6171b07f5b5cae5287dc29d443725cf44959d5d5de92d4d7c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110400, "scanner": "repobility-supply-chain", "fingerprint": "4084eb781abebb0e5de3a78a3f0a8108531f4792f459c192d0d80f38b1ac3c15", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4084eb781abebb0e5de3a78a3f0a8108531f4792f459c192d0d80f38b1ac3c15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110399, "scanner": "repobility-supply-chain", "fingerprint": "9fd607c21854135d103946968aa1029e67ed828e0f7556e8a34733728aa1ea64", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fd607c21854135d103946968aa1029e67ed828e0f7556e8a34733728aa1ea64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110398, "scanner": "repobility-supply-chain", "fingerprint": "0c7b47b9aea8d53c115047dba500d28bcf80284445e8a8e3109b557a194e3a89", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c7b47b9aea8d53c115047dba500d28bcf80284445e8a8e3109b557a194e3a89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bot.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110397, "scanner": "repobility-supply-chain", "fingerprint": "0bf9471d3852e345e3e35681bc243d596c6c2ebb8b88ce597d34971c8755a3f0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0bf9471d3852e345e3e35681bc243d596c6c2ebb8b88ce597d34971c8755a3f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bot.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110396, "scanner": "repobility-supply-chain", "fingerprint": "a4322c9b1b9725f21f8c4cc023a8087bb421fec6a6d664eae9a3f226de39b36d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a4322c9b1b9725f21f8c4cc023a8087bb421fec6a6d664eae9a3f226de39b36d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bot.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110395, "scanner": "repobility-supply-chain", "fingerprint": "0ff0591223a0ea2048e850a9ebde349fec3be8111ea68e0b52a747884bf9ab66", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ff0591223a0ea2048e850a9ebde349fec3be8111ea68e0b52a747884bf9ab66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110394, "scanner": "repobility-supply-chain", "fingerprint": "8ef8889e35c28dadcfffb62a8c970ab33f2e2b67263c0b57ce63d85d42fee857", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8ef8889e35c28dadcfffb62a8c970ab33f2e2b67263c0b57ce63d85d42fee857"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110393, "scanner": "repobility-supply-chain", "fingerprint": "22000d42afd7ffdb519afa71652712aff78310b53fc4a2ff722b29421e4955b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|22000d42afd7ffdb519afa71652712aff78310b53fc4a2ff722b29421e4955b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `uWebSockets.js` pulled from URL/Git: `dependencies.uWebSockets.js` = `github:uNetworking/uWebSockets.js#v20.66.0` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 110392, "scanner": "repobility-supply-chain", "fingerprint": "63796dfc8b187423a6a60eb95098e9ecbf166aa976d52de2c1b849c5b2f3c224", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|63796dfc8b187423a6a60eb95098e9ecbf166aa976d52de2c1b849c5b2f3c224"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/report_error has no auth: Express route POST /api/report_error declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 110391, "scanner": "repobility-route-auth", "fingerprint": "22ccda29c7ed5535b4de142bc32bc0db19fd1aa7899e2505e217798ad7087a8d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|22ccda29c7ed5535b4de142bc32bc0db19fd1aa7899e2505e217798ad7087a8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/api/index.ts"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/find_game has no auth: Express route POST /api/find_game declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 110390, "scanner": "repobility-route-auth", "fingerprint": "3c0a2245fde2e6700e7d1104fe618f1e616228a51fd89aca8537abf5e2484ca9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3c0a2245fde2e6700e7d1104fe618f1e616228a51fd89aca8537abf5e2484ca9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/api/index.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/find_game has no auth: Express route POST /api/find_game declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 110389, "scanner": "repobility-route-auth", "fingerprint": "03405e5a993eae62461017a29663e8d5b162bad04f580fe0dd2b260c18d84b33", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|03405e5a993eae62461017a29663e8d5b162bad04f580fe0dd2b260c18d84b33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/gameServer.ts"}, "region": {"startLine": 190}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 110350, "scanner": "repobility-threat-engine", "fingerprint": "6684b7bc7c043eb404a61e4fc86515f4a4e2cd660ed4729b6455e58997c876a5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(hex", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6684b7bc7c043eb404a61e4fc86515f4a4e2cd660ed4729b6455e58997c876a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shared/utils/util.ts"}, "region": {"startLine": 256}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 110348, "scanner": "repobility-threat-engine", "fingerprint": "f751c1f5fb9468720b7462d4edd22f1f9ac71164c21a619966018c1b81abc3cf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Router.post(\"/profile\", async (c) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f751c1f5fb9468720b7462d4edd22f1f9ac71164c21a619966018c1b81abc3cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/api/routes/user/UserRouter.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 110347, "scanner": "repobility-threat-engine", "fingerprint": "94c7b069e7f0587fc14f319769a64fb1be8a07ba5eb4365223e0874ca20a7b68", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cors({\n        origin: \"*", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|94c7b069e7f0587fc14f319769a64fb1be8a07ba5eb4365223e0874ca20a7b68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/api/index.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 110333, "scanner": "repobility-threat-engine", "fingerprint": "f2322c7bf9c2dea7a5c9a15daca1a45906460cfa3a2940de1c369e809753ccbc", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(\n                    n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f2322c7bf9c2dea7a5c9a15daca1a45906460cfa3a2940de1c369e809753ccbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/helpers.ts"}, "region": {"startLine": 208}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 110332, "scanner": "repobility-threat-engine", "fingerprint": "9d37f5ed04e750cf80ccd03bb99552c13715bcd799760884bacfad99865a82aa", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d37f5ed04e750cf80ccd03bb99552c13715bcd799760884bacfad99865a82aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/crosshair.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 110331, "scanner": "repobility-threat-engine", "fingerprint": "fd65463b8884b3abd063d6a06d04eaba75d8637aaa074c5f6003bec3958b8fa7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fd65463b8884b3abd063d6a06d04eaba75d8637aaa074c5f6003bec3958b8fa7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/api.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 110325, "scanner": "repobility-threat-engine", "fingerprint": "e0dc6d39c8b1991456a4ed679b533f8cf1714f4f27a2f3781719456268b3f946", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "errorLogManager.update();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e0dc6d39c8b1991456a4ed679b533f8cf1714f4f27a2f3781719456268b3f946"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/errorLogs.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 110324, "scanner": "repobility-threat-engine", "fingerprint": "748402f5b2bd193e19ead45ebce2748b06c0b71db43008c4b90d44864dc3593e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.update();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|748402f5b2bd193e19ead45ebce2748b06c0b71db43008c4b90d44864dc3593e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/debug/graph.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 110323, "scanner": "repobility-threat-engine", "fingerprint": "b4c25994c80d2b856013ee2a1f68b35fb4857c6c1e436423945a9f48ef9cf9e9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.ambience.update(dt, this.audioManager, !this.active);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b4c25994c80d2b856013ee2a1f68b35fb4857c6c1e436423945a9f48ef9cf9e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/building-editor/src/main.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 110318, "scanner": "repobility-threat-engine", "fingerprint": "1a3733f35c66c98f457186dea154419cc92efa382f0eb8c9fa0bba0e7f90e1a4", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".html(\n                        `${streamer.name} <span>${streamer.viewers} ${text}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1a3733f35c66c98f457186dea154419cc92efa382f0eb8c9fa0bba0e7f90e1a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/siteInfo.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 110317, "scanner": "repobility-threat-engine", "fingerprint": "ef2860a056938ce87aec9e7332724156c700ba445a1ba198e1bb6f032874da7f", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `${key}-${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef2860a056938ce87aec9e7332724156c700ba445a1ba198e1bb6f032874da7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/atlas-builder/atlasBuilder.ts"}, "region": {"startLine": 355}}}]}]}]}