{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "QUAL003", "name": "Magic number used as default arg", "shortDescription": {"text": "Magic number used as default arg"}, "fullDescription": {"text": "Using hardcoded default values for complex configuration objects makes the code brittle and difficult to manage. Consider using a dedicated factory or builder pattern.\n\nAuto-promoted from proposal 444 on 2026-05-12. Synth confidence: 0.85. FP estimate: 0.00."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "LOG001", "name": "PII printed to stdout/stderr", "shortDescription": {"text": "PII printed to stdout/stderr"}, "fullDescription": {"text": "Logging password/token/email/ssn directly to stdout."}, "properties": {"scanner": "repobility", "category": "logging", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "SUPC002", "name": "Supply chain \u2014 npm install without lockfile", "shortDescription": {"text": "Supply chain \u2014 npm install without lockfile"}, "fullDescription": {"text": "Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"scanner": "repobility", "category": "supply_chain", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "CRYP001", "name": "Crypto \u2014 plaintext HTTP for sensitive endpoint", "shortDescription": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "fullDescription": {"text": "Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"scanner": "repobility", "category": "crypto", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /."}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. ", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 13 more): Same pattern found in 13 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 35 more): Same pattern found in 35 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-node` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /mcp has no auth", "shortDescription": {"text": "Express POST /mcp has no auth"}, "fullDescription": {"text": "Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SECR001", "name": "Hardcoded secret in source", "shortDescription": {"text": "Hardcoded secret in source"}, "fullDescription": {"text": "API key, AWS access key, password, or private key embedded directly in source. AI assistants frequently leak demo creds."}, "properties": {"scanner": "repobility", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "SSTI001", "name": "SSTI \u2014 Jinja2 Template from user string", "shortDescription": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "fullDescription": {"text": "jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"scanner": "repobility", "category": "injection", "severity": "critical", "confidence": 0.85, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/182"}, "properties": {"repository": "modelcontextprotocol/typescript-sdk", "repoUrl": "https://github.com/modelcontextprotocol/typescript-sdk", "branch": "main"}, "results": [{"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 40330, "scanner": "repobility-threat-engine", "fingerprint": "e2f8e19f2901a8ba5df86d4d6c28e61487c626d89396d34fd5a1ee2c995abde8", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|examples/shared/src/auth.ts|42|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/shared/src/auth.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21930, "scanner": "repobility", "fingerprint": "664c2f46adadd26c0ee76cb8558a0cfa", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 60", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/clientGuide.examples.ts"}, "region": {"startLine": 454}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21929, "scanner": "repobility", "fingerprint": "9ff468f3ce2b89baf6dba8315c9ee1d7", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 300", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/types/types.ts"}, "region": {"startLine": 1559}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21928, "scanner": "repobility", "fingerprint": "05ad19ab2fadc0d97d016c91aa0ce302", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 300", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/types/types.ts"}, "region": {"startLine": 1541}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21927, "scanner": "repobility", "fingerprint": "86578f0a1ad5abbd2d457c02f1bc4ac2", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "default 0", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/client/middleware.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 16998, "scanner": "repobility", "fingerprint": "ca5e01c095f844e4e01802d3030c453c", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "console.log('Progress token", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/conformance/src/everythingServer.ts"}, "region": {"startLine": 246}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 16997, "scanner": "repobility", "fingerprint": "6f4a43be2e29f7b4f73acfeae9bac105", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "console.log(`[Auth]   Password: ${DEMO_USER_CREDENTIALS.password", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/shared/src/auth.ts"}, "region": {"startLine": 158}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 16996, "scanner": "repobility", "fingerprint": "48cfa4c03e0275646b41b4897a07870a", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "console.log(`  Token: ${authServerUrl}api/auth/mcp/token", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/shared/src/authServer.ts"}, "region": {"startLine": 251}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 16995, "scanner": "repobility", "fingerprint": "321de5665dfb71947643a40dc88d6085", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "console.log(`Simulating OAuth token", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/elicitationUrlExample.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 16994, "scanner": "repobility", "fingerprint": "a3b0ec720e150329ccd1562254b72578", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "console.log(`[Event ID] ${token", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/ssePollingClient.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 16993, "scanner": "repobility", "fingerprint": "b2c226d566c14e003f157cdc24e6100d", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "console.log('Getting OAuth token", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/elicitationUrlExample.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 16992, "scanner": "repobility", "fingerprint": "11ea1ad4d38c90f480466c1fb0923f3a", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "console.log('Using client_secret", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/simpleClientCredentials.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 16991, "scanner": "repobility", "fingerprint": "1a2f08448ae322e7bf42093e245b196f", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "console.log(`Updated resumption token", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/simpleStreamableHttp.ts"}, "region": {"startLine": 767}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 16990, "scanner": "repobility", "fingerprint": "736f71c4b41ecf372ce8cd2c67c2533d", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "console.log(`Using resumption token", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/simpleStreamableHttp.ts"}, "region": {"startLine": 755}}}]}, {"ruleId": "SUPC002", "level": "warning", "message": {"text": "Supply chain \u2014 npm install without lockfile"}, "properties": {"repobilityId": 15664, "scanner": "repobility", "fingerprint": "98df2b0feb387a4b06def47a04e55e17", "category": "supply_chain", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "npm install", "aljefra_cwe": ["CWE-1357"], "aljefra_owasp": "A06:2021", "aljefra_pattern_slug": "npm-install-no-lockfile"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/generate-multidoc.sh"}, "region": {"startLine": 45}}}]}, {"ruleId": "SUPC002", "level": "warning", "message": {"text": "Supply chain \u2014 npm install without lockfile"}, "properties": {"repobilityId": 15663, "scanner": "repobility", "fingerprint": "eef15d1e1daf1f66e4b0799b0b790a04", "category": "supply_chain", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "npm install", "aljefra_cwe": ["CWE-1357"], "aljefra_owasp": "A06:2021", "aljefra_pattern_slug": "npm-install-no-lockfile"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/generate-multidoc.sh"}, "region": {"startLine": 44}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14183, "scanner": "repobility", "fingerprint": "57c5d37bd141e345961a1a92e10e0d0c", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "fixed", "verdict": "likely_fp", "isResolved": true, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/helpers/src/helpers/http.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14182, "scanner": "repobility", "fingerprint": "1401e867f225a8911179e24ffdacfcaa", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "fixed", "verdict": "likely_fp", "isResolved": true, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/node/test/streamableHttp.test.ts"}, "region": {"startLine": 2918}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14181, "scanner": "repobility", "fingerprint": "cd3187ea4bdf7dca1aa94c78057349bb", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "fixed", "verdict": "likely_fp", "isResolved": true, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/node/test/streamableHttp.test.ts"}, "region": {"startLine": 2911}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14180, "scanner": "repobility", "fingerprint": "4d53648b77d7cf05fa3253049599cea9", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "fixed", "verdict": "likely_fp", "isResolved": true, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/node/test/streamableHttp.test.ts"}, "region": {"startLine": 2883}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14179, "scanner": "repobility", "fingerprint": "5aef2ac73227b23d8f3914e02ebe7acb", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "fixed", "verdict": "likely_fp", "isResolved": true, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/node/test/streamableHttp.test.ts"}, "region": {"startLine": 2838}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14178, "scanner": "repobility", "fingerprint": "420c64ae670cbcd9e439a0134e116e85", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "fixed", "verdict": "likely_fp", "isResolved": true, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/node/test/streamableHttp.test.ts"}, "region": {"startLine": 2831}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14177, "scanner": "repobility", "fingerprint": "f000d21d80c24560a083d87dfaa7e77e", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/server/middleware/hostHeaderValidation.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5225, "scanner": "repobility-journey-contract", "fingerprint": "22a0d177f0c5aaffdc7b9c357ce5e2018a23692fd53304e51cd2d1e04a877548", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/users", "correlation_key": "fp|22a0d177f0c5aaffdc7b9c357ce5e2018a23692fd53304e51cd2d1e04a877548", "backend_endpoint_count": 5}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/shared/authUtils.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 5224, "scanner": "repobility-journey-contract", "fingerprint": "5ae19f452df85b35ad22ff07be24ae15073a931738d9a3176949e3358f40fc3a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/users", "correlation_key": "fp|5ae19f452df85b35ad22ff07be24ae15073a931738d9a3176949e3358f40fc3a", "backend_endpoint_count": 5}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/shared/authUtils.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /."}, "properties": {"repobilityId": 5223, "scanner": "repobility-access-control", "fingerprint": "01dd0c4d1e259b1d6dd0bf10f47a31427046a4d0053e8cc4acea921ed057188f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|56|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/express/src/auth/metadataRouter.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /mcp."}, "properties": {"repobilityId": 5222, "scanner": "repobility-access-control", "fingerprint": "e511ad9552ca78ebacc35daee7987348f2b96238d25531aaf0179457653e14ba", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/mcp", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|62|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/node/src/streamableHttp.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 5221, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5213, "scanner": "repobility-threat-engine", "fingerprint": "1e60cf5d4ca5902c292a8c623d2d513d539704070472e6ac216db89144d473f9", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1e60cf5d4ca5902c292a8c623d2d513d539704070472e6ac216db89144d473f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/client/streamableHttp.ts"}, "region": {"startLine": 270}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5212, "scanner": "repobility-threat-engine", "fingerprint": "0557844a5177764bc999c64bd6f3b7fe1361dabd93cfde3e6e9bc55b7144be17", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0557844a5177764bc999c64bd6f3b7fe1361dabd93cfde3e6e9bc55b7144be17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/client/sse.ts"}, "region": {"startLine": 283}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5211, "scanner": "repobility-threat-engine", "fingerprint": "1899f004fb57046336680f73f8505f4d9fa316850506aa1ef607e11533cfb7e0", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1899f004fb57046336680f73f8505f4d9fa316850506aa1ef607e11533cfb7e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/client/auth.ts"}, "region": {"startLine": 976}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 5210, "scanner": "repobility-agent-runtime", "fingerprint": "070053f7017d3335de985cffc4df4d65beb72abe02b968571fd16ba281b92cc0", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|070053f7017d3335de985cffc4df4d65beb72abe02b968571fd16ba281b92cc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/hono/src/hono.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 5209, "scanner": "repobility-agent-runtime", "fingerprint": "4ad18f4c9046d308ded3d5676db346631771a54dd4885d688354cdf55091189a", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|4ad18f4c9046d308ded3d5676db346631771a54dd4885d688354cdf55091189a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/fastify/src/fastify.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 5208, "scanner": "repobility-agent-runtime", "fingerprint": "84c6eb65fd9a11160b42a2af819baf496236c4d614de91560e90b253d5464d35", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|84c6eb65fd9a11160b42a2af819baf496236c4d614de91560e90b253d5464d35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/fastify/src/fastify.examples.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 5207, "scanner": "repobility-agent-runtime", "fingerprint": "766e90a415cf976bb763e7112138619115c2c24350d87491f56785409f6db1cc", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|766e90a415cf976bb763e7112138619115c2c24350d87491f56785409f6db1cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/express/src/express.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 5206, "scanner": "repobility-agent-runtime", "fingerprint": "3057f80efe8d681c9443ff3e2de6d4a1c0df15591ba6fb12a1aca12495ae94fd", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|3057f80efe8d681c9443ff3e2de6d4a1c0df15591ba6fb12a1aca12495ae94fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/express/src/express.examples.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 5205, "scanner": "repobility-agent-runtime", "fingerprint": "c502a25042ee3409ef966d1082f4ad7cf5c0bd423a98b4b81defc625b3d02719", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c502a25042ee3409ef966d1082f4ad7cf5c0bd423a98b4b81defc625b3d02719"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/serverGuide.examples.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5195, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9979a70a6311e457de6ae53d910d9e932bc6cd06a73e6804d5906f7d3edc0dc5", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/client/sse.ts", "duplicate_line": 192, "correlation_key": "fp|9979a70a6311e457de6ae53d910d9e932bc6cd06a73e6804d5906f7d3edc0dc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/client/streamableHttp.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40256, "scanner": "repobility-ai-code-hygiene", "fingerprint": "970ea96539b43ef0f8541bd33577642ce72697ea48531dc3d4ac5877205559ac", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/client/sse.ts", "duplicate_line": 199, "correlation_key": "fp|970ea96539b43ef0f8541bd33577642ce72697ea48531dc3d4ac5877205559ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/client/streamableHttp.ts"}, "region": {"startLine": 117}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 5226, "scanner": "repobility-web-presence", "fingerprint": "4043225faa3d194ec7d83eb6b506a77044cc47247819125860baa12b890ba86d", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|4043225faa3d194ec7d83eb6b506a77044cc47247819125860baa12b890ba86d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5204, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e398b4f4f779a0d5a7c9b3a9024b4cfefe1c7a60d4146b15ae9978c282c939f8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/conformance/src/authTestServer.ts", "duplicate_line": 216, "correlation_key": "fp|e398b4f4f779a0d5a7c9b3a9024b4cfefe1c7a60d4146b15ae9978c282c939f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/conformance/src/everythingServer.ts"}, "region": {"startLine": 781}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5203, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d76cb26d501baee41faee60843c5eb808aa066004003a637d7e278ff816014c5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/tsdown.config.ts", "duplicate_line": 5, "correlation_key": "fp|d76cb26d501baee41faee60843c5eb808aa066004003a637d7e278ff816014c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/tsdown.config.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5202, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a21eb9951e7699ae4dd38e525f3da874cfacea8c5031fc79aac1d97baa512a9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/client/stdio.ts", "duplicate_line": 112, "correlation_key": "fp|3a21eb9951e7699ae4dd38e525f3da874cfacea8c5031fc79aac1d97baa512a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/server/stdio.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5201, "scanner": "repobility-ai-code-hygiene", "fingerprint": "655866775f9f5f112053510cf533dcb2fc3de6d66647d87c91c46c98d96b35ac", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/server/src/experimental/tasks/server.ts", "duplicate_line": 42, "correlation_key": "fp|655866775f9f5f112053510cf533dcb2fc3de6d66647d87c91c46c98d96b35ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/server/server.ts"}, "region": {"startLine": 356}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5200, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6017f8d21780a8913dc0dc2fa22f31839edcae4315a580766d0652a7b4da7945", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/client/client.ts", "duplicate_line": 253, "correlation_key": "fp|6017f8d21780a8913dc0dc2fa22f31839edcae4315a580766d0652a7b4da7945"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/server/server.ts"}, "region": {"startLine": 166}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5199, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d39f92da63cafe30261609a1030035e43ec377b9dd2ccec2561b5df330dd9d3a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/src/experimental/tasks/client.ts", "duplicate_line": 100, "correlation_key": "fp|d39f92da63cafe30261609a1030035e43ec377b9dd2ccec2561b5df330dd9d3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/experimental/tasks/server.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5198, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1d0abfbbd86b13fe465a6c684007e63a772b9795dd0a99e51381c97cd62be05d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client/tsdown.config.ts", "duplicate_line": 5, "correlation_key": "fp|1d0abfbbd86b13fe465a6c684007e63a772b9795dd0a99e51381c97cd62be05d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/node/tsdown.config.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5197, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cfe288944f71c7098c72db003750d0c89caceb54ba16f56ebac29508313d7117", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/middleware/express/tsdown.config.ts", "duplicate_line": 1, "correlation_key": "fp|cfe288944f71c7098c72db003750d0c89caceb54ba16f56ebac29508313d7117"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/hono/tsdown.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5196, "scanner": "repobility-ai-code-hygiene", "fingerprint": "daf719f097535129581d47e6cc2c282f3bf0ed4f197721b035689bc9515a483d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/middleware/express/tsdown.config.ts", "duplicate_line": 1, "correlation_key": "fp|daf719f097535129581d47e6cc2c282f3bf0ed4f197721b035689bc9515a483d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/fastify/tsdown.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 40342, "scanner": "repobility-threat-engine", "fingerprint": "440243ef2232e957470dee6ed12196ad68c660b1b69f64b04a34ec8bd86fe10c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|440243ef2232e957470dee6ed12196ad68c660b1b69f64b04a34ec8bd86fe10c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/generate-multidoc.sh"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 40341, "scanner": "repobility-threat-engine", "fingerprint": "854a1bfaea1c6e99a461715da2aed8458f29d68162b8425b8d72a7ae222ba3b7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|854a1bfaea1c6e99a461715da2aed8458f29d68162b8425b8d72a7ae222ba3b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/server/middleware/hostHeaderValidation.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 40337, "scanner": "repobility-threat-engine", "fingerprint": "5254539a092a5eeb835ac7ab1dede2f1f1e9fdadfaea43a2e97725645ce6ca8d", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|21|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/server/streamableHttp.examples.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 40336, "scanner": "repobility-threat-engine", "fingerprint": "80eaf11f07ffaab8a829e9313bd3c103a7bfcf8b48039aa656aa4a2218abbef3", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|31|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/experimental/tasks/stores/inMemory.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 40332, "scanner": "repobility-threat-engine", "fingerprint": "6e8d55a77c1308e6d5fb0c0aed86b66ec2dd62d52340c041d5cefcdf0c0b0de2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6e8d55a77c1308e6d5fb0c0aed86b66ec2dd62d52340c041d5cefcdf0c0b0de2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/client/middleware.examples.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 40331, "scanner": "repobility-threat-engine", "fingerprint": "50485ebb33cff510bc7c2b2cc7cff9c19b559d3cd0700166b2e01ba8dd09fb8d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|50485ebb33cff510bc7c2b2cc7cff9c19b559d3cd0700166b2e01ba8dd09fb8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/shared/src/auth.ts"}, "region": {"startLine": 218}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 40329, "scanner": "repobility-threat-engine", "fingerprint": "6fa2e9ef1c1856e1ba7ae153052023beba4be6def90f2e547c9aea7606eafe65", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6fa2e9ef1c1856e1ba7ae153052023beba4be6def90f2e547c9aea7606eafe65"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 40325, "scanner": "repobility-threat-engine", "fingerprint": "8ef4fc4a1d1afa020d5157bc26f8e97b25b84982c476e0fc9fc2b462b5f52536", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8ef4fc4a1d1afa020d5157bc26f8e97b25b84982c476e0fc9fc2b462b5f52536", "aggregated_count": 6}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40324, "scanner": "repobility-threat-engine", "fingerprint": "ea617656c5dc9e7542b2b9e212cdaf871f5d899018927861df61d1ed5f95eed6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea617656c5dc9e7542b2b9e212cdaf871f5d899018927861df61d1ed5f95eed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/codemod/scripts/generateSpecSchemaMap.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40323, "scanner": "repobility-threat-engine", "fingerprint": "d01ccc9a96e94d255f3a4fc68369e814e5a70275a601017c54de4d1ed025891a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d01ccc9a96e94d255f3a4fc68369e814e5a70275a601017c54de4d1ed025891a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/standaloneSseWithGetStreamableHttp.ts"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40322, "scanner": "repobility-threat-engine", "fingerprint": "a6885fb4271cd4a839102567ad60b0d7f06e43a2675c72da599a14e979d40251", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6885fb4271cd4a839102567ad60b0d7f06e43a2675c72da599a14e979d40251"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/honoWebStandardStreamableHttp.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 40320, "scanner": "repobility-threat-engine", "fingerprint": "67207f5a6f091578506eace9ca6ffadd0a3f381d921b44ecf0b5e41c235e25c5", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|67207f5a6f091578506eace9ca6ffadd0a3f381d921b44ecf0b5e41c235e25c5"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 40316, "scanner": "repobility-threat-engine", "fingerprint": "019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 40315, "scanner": "repobility-threat-engine", "fingerprint": "0091c27d289862cd5b26f7df074076d50ca5e14de81b16fc6b11d18ca8491987", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET required for oauth mode')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|9|console.error oauth_client_id and oauth_client_secret required for oauth mode"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/dualModeAuth.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 40314, "scanner": "repobility-threat-engine", "fingerprint": "ffe0bb40951d1fe20325d6626515b6b3f5194cef1a3be6e6de11e9645a8d8a72", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ffe0bb40951d1fe20325d6626515b6b3f5194cef1a3be6e6de11e9645a8d8a72", "aggregated_count": 1}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 40313, "scanner": "repobility-threat-engine", "fingerprint": "8ebeffeb49feb7ccd901b626e41522979af56b0a218269375025be581a13de53", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8ebeffeb49feb7ccd901b626e41522979af56b0a218269375025be581a13de53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/ssePollingClient.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 40312, "scanner": "repobility-threat-engine", "fingerprint": "d694fc29283c091265e6edf0ea794116576d22416484d863d41db06ee44325ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d694fc29283c091265e6edf0ea794116576d22416484d863d41db06ee44325ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/simpleClientCredentials.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 40311, "scanner": "repobility-threat-engine", "fingerprint": "c7a66881299c6bd7e0bf4c099a5fd61f513d88e37a3e34e1e6926d37c0e6c8f7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c7a66881299c6bd7e0bf4c099a5fd61f513d88e37a3e34e1e6926d37c0e6c8f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client-quickstart/src/index.ts"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "properties": {"repobilityId": 40310, "scanner": "repobility-threat-engine", "fingerprint": "fc2820ba768b38371d72dc7d63a178982e28edbe336a7b7364fcb73e52ea788b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fc2820ba768b38371d72dc7d63a178982e28edbe336a7b7364fcb73e52ea788b", "aggregated_count": 35}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40309, "scanner": "repobility-threat-engine", "fingerprint": "4f56060b17d4058e7f2c7b30736bc9a90efc031a45d07cd171f9ccd19aeb0606", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f56060b17d4058e7f2c7b30736bc9a90efc031a45d07cd171f9ccd19aeb0606"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/dualModeAuth.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40308, "scanner": "repobility-threat-engine", "fingerprint": "823005fac9883ba36903d2367e6309fe0d6a3067bb762bd2742453110f1e5f55", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|823005fac9883ba36903d2367e6309fe0d6a3067bb762bd2742453110f1e5f55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/customMethodExample.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40307, "scanner": "repobility-threat-engine", "fingerprint": "445a9f323d6ea84e0c4680789f734fc8e4d06b815b10e84ea42fa0316271e4be", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|445a9f323d6ea84e0c4680789f734fc8e4d06b815b10e84ea42fa0316271e4be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client-quickstart/src/index.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 5220, "scanner": "repobility-threat-engine", "fingerprint": "260684795bf2afdc86f315902c265bf0ecbdf41aa73697ff08b95a7d16b6d065", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|260684795bf2afdc86f315902c265bf0ecbdf41aa73697ff08b95a7d16b6d065"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5219, "scanner": "repobility-threat-engine", "fingerprint": "59f9595b8c184917bdc3782a919f82b5a25bb8dcb1176229d4d4dcabb4da29d1", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(`\ud83c\udf10 Opening browser for authorization: ${url}`)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|console.log opening browser for authorization: url"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/simpleOAuthClient.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5216, "scanner": "repobility-threat-engine", "fingerprint": "50b3548281e717866b5c1505600028cbec0d5d716a47a560b5780c5ae6865880", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|15|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/inMemoryEventStore.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5215, "scanner": "repobility-threat-engine", "fingerprint": "9b4b6efd6b59b2d9c7086911fbcf2fea5331dd8d1a425ca75b73329bce38ccc4", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|43|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/mcpServerOutputSchema.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5214, "scanner": "repobility-threat-engine", "fingerprint": "f4f5a0e8ba50f065becfc591f59bd9da906a9303931a24122aeb00bc5fc53316", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|50|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/client/authExtensions.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 40339, "scanner": "repobility-threat-engine", "fingerprint": "b33a0e21887ed3f0d59906b4605e5e5ee02c84202cdaa7b119af05ffedb727fc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b33a0e21887ed3f0d59906b4605e5e5ee02c84202cdaa7b119af05ffedb727fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/shared/uriTemplate.ts"}, "region": {"startLine": 274}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 40338, "scanner": "repobility-threat-engine", "fingerprint": "195a2110fdf7467298a7e79c54f75f68276096b6cae98074e8dd95f96a54e374", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.tasks.delete(taskId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|195a2110fdf7467298a7e79c54f75f68276096b6cae98074e8dd95f96a54e374"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/experimental/tasks/stores/inMemory.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 40335, "scanner": "repobility-threat-engine", "fingerprint": "d4b8bd597cd9a9508426e3b44ed00fe43d4b351ebe0a3d235064ecd9ce53cefa", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([pkg, ver], i) => `    '${pkg}': '${ver}'${i < entries.length - 1 ? ',' : ''}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d4b8bd597cd9a9508426e3b44ed00fe43d4b351ebe0a3d235064ecd9ce53cefa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/codemod/scripts/generateVersions.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 40334, "scanner": "repobility-threat-engine", "fingerprint": "37abd8a8387fce065d21bbcb3ed7a651b823b97e630606d507fcaf6c274c911d", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((s, i) => `    '${s}'${i < allSchemas.length - 1 ? ',' : ''}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|37abd8a8387fce065d21bbcb3ed7a651b823b97e630606d507fcaf6c274c911d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/codemod/scripts/generateSpecSchemaMap.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 40333, "scanner": "repobility-threat-engine", "fingerprint": "757a0a66aba02a5ae50f643bab6b61625e8eaf17f0dcc0649326f4509b34e469", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `${key}: ${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|757a0a66aba02a5ae50f643bab6b61625e8eaf17f0dcc0649326f4509b34e469"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/client/middleware.ts"}, "region": {"startLine": 170}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 40328, "scanner": "repobility-threat-engine", "fingerprint": "9860429e7d94e2a09549a669e9de66053e3a0ceae38e970810b3db8f545dbcc1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/mcp', async (req: Request, res: Response) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9860429e7d94e2a09549a669e9de66053e3a0ceae38e970810b3db8f545dbcc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/standaloneSseWithGetStreamableHttp.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 40327, "scanner": "repobility-threat-engine", "fingerprint": "f84924ee877042e3301f671e7368b95680e77a152e98d25a14dee009ff2723d3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/mcp', async (req: Request, res: Response) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f84924ee877042e3301f671e7368b95680e77a152e98d25a14dee009ff2723d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/simpleStatelessStreamableHttp.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 40326, "scanner": "repobility-threat-engine", "fingerprint": "0a49d45fc0d6aecb568e674f4b7d207a4d7e81396cd6de17c53c82df008a07c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/mcp', async (req: Request, res: Response) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a49d45fc0d6aecb568e674f4b7d207a4d7e81396cd6de17c53c82df008a07c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/jsonResponseStreamableHttp.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 40321, "scanner": "repobility-threat-engine", "fingerprint": "7a7f502562072dfc59aa1376b6af9fbc8ae9eff67d64ceb316fe0822afc1d0e5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cors({\n        origin: '*", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7a7f502562072dfc59aa1376b6af9fbc8ae9eff67d64ceb316fe0822afc1d0e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/honoWebStandardStreamableHttp.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40319, "scanner": "repobility-threat-engine", "fingerprint": "218b95e91412ad1d6096cbcb4ae9b700aaa1b818fa775bba7687b863891f3ca6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(D", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|218b95e91412ad1d6096cbcb4ae9b700aaa1b818fa775bba7687b863891f3ca6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/simpleClientCredentials.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40318, "scanner": "repobility-threat-engine", "fingerprint": "ffbfff188f814677a3e6736a50e8dc30c7cbb81b57309e232a66cd00d57e8ffb", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ffbfff188f814677a3e6736a50e8dc30c7cbb81b57309e232a66cd00d57e8ffb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/parallelToolCallsClient.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40317, "scanner": "repobility-threat-engine", "fingerprint": "6da78ce9d6eadd7d20db60622f9a729a44621765ba557ad8addb14c56ce93c90", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6da78ce9d6eadd7d20db60622f9a729a44621765ba557ad8addb14c56ce93c90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/multipleClientsParallel.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40306, "scanner": "repobility-supply-chain", "fingerprint": "d040607e9024cf21aa077676664508c6b020257d2e524180f47cfe94938217bd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d040607e9024cf21aa077676664508c6b020257d2e524180f47cfe94938217bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40305, "scanner": "repobility-supply-chain", "fingerprint": "f0625a4ae0856b024f1f9df53209d8042b5ec8c3cd4fc7513f8757b86d8e710f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0625a4ae0856b024f1f9df53209d8042b5ec8c3cd4fc7513f8757b86d8e710f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/deploy-pages` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 40304, "scanner": "repobility-supply-chain", "fingerprint": "94b2b43c6476187717985931073d2bd8ca58b33d7eba02d66181090f9be0f9db", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|94b2b43c6476187717985931073d2bd8ca58b33d7eba02d66181090f9be0f9db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-docs.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-pages-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 40303, "scanner": "repobility-supply-chain", "fingerprint": "d8196664cfb5a1433d5e2dadae50c2748bc5b036ddd4e82e1cccff5a0a112dcd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d8196664cfb5a1433d5e2dadae50c2748bc5b036ddd4e82e1cccff5a0a112dcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-docs.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/configure-pages` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40302, "scanner": "repobility-supply-chain", "fingerprint": "758accc181a353407b6bdc12f73e08c8a05d35b4aa4ffb18748e8a701ee7f9ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|758accc181a353407b6bdc12f73e08c8a05d35b4aa4ffb18748e8a701ee7f9ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-docs.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40301, "scanner": "repobility-supply-chain", "fingerprint": "3ec646446409d41c3a3abe1c2fb988fb41bda4190158ab480e5cc8bf9cce4b8a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ec646446409d41c3a3abe1c2fb988fb41bda4190158ab480e5cc8bf9cce4b8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-docs.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40300, "scanner": "repobility-supply-chain", "fingerprint": "0020d24a9b9b1485b52d5957b77cec9b7c3922a2eb9dcd4a52b076fbec2f76f1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0020d24a9b9b1485b52d5957b77cec9b7c3922a2eb9dcd4a52b076fbec2f76f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-docs.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40299, "scanner": "repobility-supply-chain", "fingerprint": "bf714d30a9c0246706db86c9260cb0b2ba32dc8e4328c45bd76c53e13a9987be", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf714d30a9c0246706db86c9260cb0b2ba32dc8e4328c45bd76c53e13a9987be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40298, "scanner": "repobility-supply-chain", "fingerprint": "617b6c7b4d724ad1c043e6f6721555923dbe7f70cfbd9443091341580e1b4ab4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|617b6c7b4d724ad1c043e6f6721555923dbe7f70cfbd9443091341580e1b4ab4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40297, "scanner": "repobility-supply-chain", "fingerprint": "c5abdebf1c002cbba7315b2f87f4c0b2fc148b3e85767385460b5d5c860ed43a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c5abdebf1c002cbba7315b2f87f4c0b2fc148b3e85767385460b5d5c860ed43a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40296, "scanner": "repobility-supply-chain", "fingerprint": "54b5f86f36fc3510700e5359aef4227f86c2f6741f87f50712af469215448a09", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54b5f86f36fc3510700e5359aef4227f86c2f6741f87f50712af469215448a09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `anthropics/claude-code-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 40295, "scanner": "repobility-supply-chain", "fingerprint": "d6087b6eacd5d80c6ce5f021378bec33479d52421b95705230bf89886e5ca9b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d6087b6eacd5d80c6ce5f021378bec33479d52421b95705230bf89886e5ca9b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40294, "scanner": "repobility-supply-chain", "fingerprint": "d2f44f1d8f8383ef8355d748ece864ed7f6aa301e9caf46e7092a2431a5b70fc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d2f44f1d8f8383ef8355d748ece864ed7f6aa301e9caf46e7092a2431a5b70fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40293, "scanner": "repobility-supply-chain", "fingerprint": "46c7daa59fbe6f36bb6e2b5a8b88d66e90071b85fdc0555d9bfefb38716c4da5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46c7daa59fbe6f36bb6e2b5a8b88d66e90071b85fdc0555d9bfefb38716c4da5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40292, "scanner": "repobility-supply-chain", "fingerprint": "9defff2e9b78d98c3ea039107d1423629a11401541fe6f335aa4d0430e7a5233", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9defff2e9b78d98c3ea039107d1423629a11401541fe6f335aa4d0430e7a5233"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40291, "scanner": "repobility-supply-chain", "fingerprint": "b8d14ddc90ee016052aa96252793fa2539b04360ffb381884bb0a5f5e234c199", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b8d14ddc90ee016052aa96252793fa2539b04360ffb381884bb0a5f5e234c199"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40290, "scanner": "repobility-supply-chain", "fingerprint": "0bfbc39a8e220202558bd9688616cde278e7d679b053dd9e7822ef078767e837", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0bfbc39a8e220202558bd9688616cde278e7d679b053dd9e7822ef078767e837"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40289, "scanner": "repobility-supply-chain", "fingerprint": "bf0cf3f7d4696ec603f74e8a0893714737c74bdbac105757eeb4df82622e7b20", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf0cf3f7d4696ec603f74e8a0893714737c74bdbac105757eeb4df82622e7b20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40288, "scanner": "repobility-supply-chain", "fingerprint": "058e0f20ce0228d54f72f9afe1e05e43afcc2c9607e4f3adce33b4763a595e30", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|058e0f20ce0228d54f72f9afe1e05e43afcc2c9607e4f3adce33b4763a595e30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40287, "scanner": "repobility-supply-chain", "fingerprint": "db2a9178480d77453aba52654a343983872f9a37ae723843233340a9ffc51450", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db2a9178480d77453aba52654a343983872f9a37ae723843233340a9ffc51450"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-spec-types.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40286, "scanner": "repobility-supply-chain", "fingerprint": "0b41760b51ad4f57969b1ba843445af77bce85e4d84340a4e3f3aa02609b0d0e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b41760b51ad4f57969b1ba843445af77bce85e4d84340a4e3f3aa02609b0d0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-spec-types.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40285, "scanner": "repobility-supply-chain", "fingerprint": "fa77be066993a1fbfdfb1a4e950a58a8599ded17ff9acc5f9fe0b55c3e77d8df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa77be066993a1fbfdfb1a4e950a58a8599ded17ff9acc5f9fe0b55c3e77d8df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/conformance.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40284, "scanner": "repobility-supply-chain", "fingerprint": "5ca6fcd09058db36a42863a6cc56a7559c63a47c1c2c0c2038a0c18fb57a8614", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ca6fcd09058db36a42863a6cc56a7559c63a47c1c2c0c2038a0c18fb57a8614"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/conformance.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40283, "scanner": "repobility-supply-chain", "fingerprint": "e654a14c6a5b25e8cbb491d5db0aca40184a9927db7a0e623a8a115d28ded7e2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e654a14c6a5b25e8cbb491d5db0aca40184a9927db7a0e623a8a115d28ded7e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/conformance.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 40282, "scanner": "repobility-supply-chain", "fingerprint": "932af5e4e6cd927415509c3c749eb88ffade68732230d09423be04b5bfe6a25f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|932af5e4e6cd927415509c3c749eb88ffade68732230d09423be04b5bfe6a25f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/conformance.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /mcp has no auth"}, "properties": {"repobilityId": 40281, "scanner": "repobility-route-auth", "fingerprint": "6a6f38ffa0a1b02f7bfb4d1e16a36de561e4ef884cebd6a13df8a31915f28eb6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6a6f38ffa0a1b02f7bfb4d1e16a36de561e4ef884cebd6a13df8a31915f28eb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/resourceServerOnly.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /mcp has no auth"}, "properties": {"repobilityId": 40280, "scanner": "repobility-route-auth", "fingerprint": "50f2682c42c30d81262b66a01f37b4b14f0bb6b85bb995d06809318a22490bcd", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|50f2682c42c30d81262b66a01f37b4b14f0bb6b85bb995d06809318a22490bcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/simpleStatelessStreamableHttp.ts"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /mcp has no auth"}, "properties": {"repobilityId": 40279, "scanner": "repobility-route-auth", "fingerprint": "247933bc8ebe612447e772bdaa4f32ad2b1ca26889acafac86e1d0526ea1feaf", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|247933bc8ebe612447e772bdaa4f32ad2b1ca26889acafac86e1d0526ea1feaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/simpleStatelessStreamableHttp.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /mcp has no auth"}, "properties": {"repobilityId": 40278, "scanner": "repobility-route-auth", "fingerprint": "98f4cd10faf5a87b231cc57b67c6ead9b3369db6af23138f3f199fb74fc6364d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|98f4cd10faf5a87b231cc57b67c6ead9b3369db6af23138f3f199fb74fc6364d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/standaloneSseWithGetStreamableHttp.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /mcp has no auth"}, "properties": {"repobilityId": 40277, "scanner": "repobility-route-auth", "fingerprint": "a66c2f8449aa80898a68cdc3567513bc10e6ce274358d841cfba3e51a41bde9d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a66c2f8449aa80898a68cdc3567513bc10e6ce274358d841cfba3e51a41bde9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/jsonResponseStreamableHttp.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /echo has no auth"}, "properties": {"repobilityId": 40276, "scanner": "repobility-route-auth", "fingerprint": "814b331dc610a2f4e2fec8e5e1189ad1521830eb3122f35708f4b5b587f31d19", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|814b331dc610a2f4e2fec8e5e1189ad1521830eb3122f35708f4b5b587f31d19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/hono/test/hono.test.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /echo has no auth"}, "properties": {"repobilityId": 40275, "scanner": "repobility-route-auth", "fingerprint": "70e11a6e68a28bbc61bf99359bc7e7f738b04809a5d5bf1c37fe3b619a8f39ab", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|70e11a6e68a28bbc61bf99359bc7e7f738b04809a5d5bf1c37fe3b619a8f39ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/hono/test/hono.test.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /echo has no auth"}, "properties": {"repobilityId": 40274, "scanner": "repobility-route-auth", "fingerprint": "3ba52b3787e7ec8e8492312a1a91a73fce00f4b27157f8df9ae0c438b5dddbff", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3ba52b3787e7ec8e8492312a1a91a73fce00f4b27157f8df9ae0c438b5dddbff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/hono/test/hono.test.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /mcp has no auth"}, "properties": {"repobilityId": 40273, "scanner": "repobility-route-auth", "fingerprint": "81f26234af6a2cecf2a75036fc679b86f1cb3a33340fd1fc54e9bed73cd619b3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|81f26234af6a2cecf2a75036fc679b86f1cb3a33340fd1fc54e9bed73cd619b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/node/src/streamableHttp.examples.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /mcp has no auth"}, "properties": {"repobilityId": 40272, "scanner": "repobility-route-auth", "fingerprint": "75804eba4ba568bb66c815e40deaacbee48a5ea9872fcb1174e123654397a397", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|75804eba4ba568bb66c815e40deaacbee48a5ea9872fcb1174e123654397a397"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/middleware/node/src/streamableHttp.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /mcp has no auth"}, "properties": {"repobilityId": 40271, "scanner": "repobility-route-auth", "fingerprint": "f9036528703c630ded25e6eee6c9faffc6861c69ea2ffc8b25aec97851244a8a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f9036528703c630ded25e6eee6c9faffc6861c69ea2ffc8b25aec97851244a8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/conformance/src/everythingServer.ts"}, "region": {"startLine": 996}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /mcp has no auth"}, "properties": {"repobilityId": 40270, "scanner": "repobility-route-auth", "fingerprint": "f7d899d184e2ece2f594142580e152d5e5364a22cadbe90b51865c6d87688aa6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f7d899d184e2ece2f594142580e152d5e5364a22cadbe90b51865c6d87688aa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/conformance/src/everythingServer.ts"}, "region": {"startLine": 893}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /mcp has no auth"}, "properties": {"repobilityId": 40269, "scanner": "repobility-route-auth", "fingerprint": "203408a9b257f90024cb80f800dd9847ce2799b25a2ac87123529c7fd60c3d4c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|203408a9b257f90024cb80f800dd9847ce2799b25a2ac87123529c7fd60c3d4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/conformance/src/authTestServer.ts"}, "region": {"startLine": 389}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /mcp has no auth"}, "properties": {"repobilityId": 40268, "scanner": "repobility-route-auth", "fingerprint": "1433c6fd3f7e9f11ffb96f3cc9811877f4998aeebaacae3da2012e4e3870eaa4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|1433c6fd3f7e9f11ffb96f3cc9811877f4998aeebaacae3da2012e4e3870eaa4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/conformance/src/authTestServer.ts"}, "region": {"startLine": 293}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /test has no auth"}, "properties": {"repobilityId": 40267, "scanner": "repobility-route-auth", "fingerprint": "d62f39cb2f39d6562225d5b66015cbab481452cdf4efbcd8fe4374cecd44e200", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d62f39cb2f39d6562225d5b66015cbab481452cdf4efbcd8fe4374cecd44e200"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/integration/test/server.test.ts"}, "region": {"startLine": 2348}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /test has no auth"}, "properties": {"repobilityId": 40266, "scanner": "repobility-route-auth", "fingerprint": "d76423548c1543c72c6dfc6279bad4dde77a78103b4c7e30fddbcd9572e2d2a1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d76423548c1543c72c6dfc6279bad4dde77a78103b4c7e30fddbcd9572e2d2a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/integration/test/server.test.ts"}, "region": {"startLine": 2328}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /test has no auth"}, "properties": {"repobilityId": 40265, "scanner": "repobility-route-auth", "fingerprint": "a95b3b09977c374ad5b724f0e372f841cfaa829e04980cb941b730e16b5a9d8a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a95b3b09977c374ad5b724f0e372f841cfaa829e04980cb941b730e16b5a9d8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/integration/test/server.test.ts"}, "region": {"startLine": 2301}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /test has no auth"}, "properties": {"repobilityId": 40264, "scanner": "repobility-route-auth", "fingerprint": "adc5d1353255266619eeaf241821b4679ee4679eeb3615e244514048a4d3019a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|adc5d1353255266619eeaf241821b4679ee4679eeb3615e244514048a4d3019a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/integration/test/server.test.ts"}, "region": {"startLine": 2289}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /test has no auth"}, "properties": {"repobilityId": 40263, "scanner": "repobility-route-auth", "fingerprint": "16f6e4ec00df14889bd212afdb3ae81fd1ec97042cc6980aab4eb6f90cc99d95", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|16f6e4ec00df14889bd212afdb3ae81fd1ec97042cc6980aab4eb6f90cc99d95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/integration/test/server.test.ts"}, "region": {"startLine": 2277}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /test has no auth"}, "properties": {"repobilityId": 40262, "scanner": "repobility-route-auth", "fingerprint": "3534f7606640bed49eac5501c671995ff0879b1b6cd97f4ac94009e7245c0f3c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3534f7606640bed49eac5501c671995ff0879b1b6cd97f4ac94009e7245c0f3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/integration/test/server.test.ts"}, "region": {"startLine": 2264}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /test has no auth"}, "properties": {"repobilityId": 40261, "scanner": "repobility-route-auth", "fingerprint": "39c5f28db585891a5b2677e0bb90c53df1f0fd00083567458366cc90067810b9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|39c5f28db585891a5b2677e0bb90c53df1f0fd00083567458366cc90067810b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/integration/test/server.test.ts"}, "region": {"startLine": 2252}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /test has no auth"}, "properties": {"repobilityId": 40260, "scanner": "repobility-route-auth", "fingerprint": "f73920656d4805f9eb3c8f950c3ca81f83d6ce306da0611871e10e7902d93d10", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f73920656d4805f9eb3c8f950c3ca81f83d6ce306da0611871e10e7902d93d10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/integration/test/server.test.ts"}, "region": {"startLine": 2240}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /test has no auth"}, "properties": {"repobilityId": 40259, "scanner": "repobility-route-auth", "fingerprint": "98c45baaaa360b9473f691cadf21ccb13d4d14ddce4657171d2996d2940c4a30", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|98c45baaaa360b9473f691cadf21ccb13d4d14ddce4657171d2996d2940c4a30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/integration/test/server.test.ts"}, "region": {"startLine": 2221}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /test has no auth"}, "properties": {"repobilityId": 40258, "scanner": "repobility-route-auth", "fingerprint": "3bcb1aa58fb0ff84da1de743703aede123e5a685143c7ae0cb3cf0dba01f5f46", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3bcb1aa58fb0ff84da1de743703aede123e5a685143c7ae0cb3cf0dba01f5f46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/integration/test/server.test.ts"}, "region": {"startLine": 2209}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /message has no auth"}, "properties": {"repobilityId": 40257, "scanner": "repobility-route-auth", "fingerprint": "eafc5860ea2c440e8c14e06023e27a2378919022fa3216df92e7575f33ff6296", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|eafc5860ea2c440e8c14e06023e27a2378919022fa3216df92e7575f33ff6296"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/cli.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5218, "scanner": "repobility-threat-engine", "fingerprint": "e451b9b328caf0aba83812aef1088f10952214f73fe1a7acc2ea9f2fd88443cc", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(`[Event ID] ${token}`)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|8|console.log event id token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/client/src/ssePollingClient.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5217, "scanner": "repobility-threat-engine", "fingerprint": "2f6937cdbc3dca75b462e5e378356941147e55606585d71cd06245e82ca78383", "category": "credential_exposure", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Console output includes a credential-bearing template expression.", "evidence": {"match": "console.log(`[Auth]   Password: <redacted>}`)", "reason": "Console output includes a credential-bearing template expression.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.92, "correlation_key": "secret|examples/shared/src/auth.ts|15|console.log auth password: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/shared/src/auth.ts"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 40340, "scanner": "repobility-threat-engine", "fingerprint": "5821d8c0850a06e7b675e3a4a9ad39ae1d9c53c977f070b9001d2b1b3a373dd8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5821d8c0850a06e7b675e3a4a9ad39ae1d9c53c977f070b9001d2b1b3a373dd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/types/guards.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16628, "scanner": "repobility", "fingerprint": "ff9d4c58ce04d196aa04ff485285d07d", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "-----BEGIN PRIVATE KEY-----", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/test/client/authExtensions.test.ts"}, "region": {"startLine": 297}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15887, "scanner": "repobility", "fingerprint": "8fc951dce199e33bfdcb0843ca3a5ba6", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template('users://{user", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/integration/test/title.test.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15886, "scanner": "repobility", "fingerprint": "513959249983c7154cb869f57b457833", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template('user://{user", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/server/src/serverGuide.examples.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15885, "scanner": "repobility", "fingerprint": "fc4848da9047eefd76c770875c1cbddf", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template('/user", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/test/shared/uriTemplate.test.ts"}, "region": {"startLine": 195}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15884, "scanner": "repobility", "fingerprint": "c6cecba2599b55ee21b4e58bbf91f4d4", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template('/users/{user", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/test/shared/uriTemplate.test.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15883, "scanner": "repobility", "fingerprint": "3932cca1da027bd448e3e6abc986354a", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template('/users/{user", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/test/shared/uriTemplate.test.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15882, "scanner": "repobility", "fingerprint": "8b7abd1d79e34ea8f92b3e107131ccc1", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template('http://example.com/users/{user", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/test/shared/uriTemplate.test.ts"}, "region": {"startLine": 90}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15881, "scanner": "repobility", "fingerprint": "e223637d6eccfe918e5dfbb184be62d7", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template('http://example.com/users/{user", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/test/shared/uriTemplate.test.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15880, "scanner": "repobility", "fingerprint": "38114753f4e20232adc8d022edac1525", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template('/user", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/test/shared/uriTemplate.test.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15879, "scanner": "repobility", "fingerprint": "2410b4f64b3397ae42295559daf88a18", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template(request", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/types/types.ts"}, "region": {"startLine": 2151}}}]}, {"ruleId": "SSTI001", "level": "error", "message": {"text": "SSTI \u2014 Jinja2 Template from user string"}, "properties": {"repobilityId": 15878, "scanner": "repobility", "fingerprint": "42c0e1bb438d2f90d11c2c3c7eb1898f", "category": "injection", "severity": "critical", "confidence": 0.85, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {"snippet": "Template(request", "aljefra_cwe": ["CWE-94"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "ssti-jinja-from-string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/server/mcp.ts"}, "region": {"startLine": 369}}}]}]}]}