{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `convert_to_openai_messages` has cognitive complexity 17 (SonarSource scal", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `convert_to_openai_messages` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 17."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC125", "name": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeh", "shortDescription": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim "}, "fullDescription": {"text": "Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_README", "name": "No README file found", "shortDescription": {"text": "No README file found"}, "fullDescription": {"text": "Create a README.md with: project name and description, installation instructions, usage examples, configuration options, and contribution guidelines."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 13 more): Same pattern found in 13 additional files", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED024] Js Eval Usage (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 91 more): Same pattern found in 91 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 91 more): Same pattern found in 91 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 286 more): Same pattern found in 286 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 286 more): Same pattern found in 286 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 271 more): Same pattern found in 271 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 271 more): Same pattern found in 271 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 35 more): Same pattern found in 35 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 14 more): Same pattern found in 14 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 22 more): Same pattern found in 22 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 1181 more): Same pattern found in 1181 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 1181 more): Same pattern found in 1181 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /api/notify has no auth: Express route POST /api/notify declared without an auth middleware in i", "shortDescription": {"text": "[MINED113] Express POST /api/notify has no auth: Express route POST /api/notify declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access"}, "fullDescription": {"text": "Add an auth middleware: app.post('/api/notify', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST /api/chat has no auth: Handler `handle_chat_data` is registered with router/app.post(...) but no", "shortDescription": {"text": "[MINED112] FastAPI POST /api/chat has no auth: Handler `handle_chat_data` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.SLACK_PR_REVIEW_REQUEST_URL` on a `pull_request` trigger: This workflow triggers on `p", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.SLACK_PR_REVIEW_REQUEST_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_PR_REVIEW_REQUEST_URL }` lets a PR from an"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/194"}, "properties": {"repository": "vercel/ai", "repoUrl": "https://github.com/vercel/ai", "branch": "main"}, "results": [{"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `convert_to_openai_messages` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, elif=1, for=2, if=3, nested_bonus=10."}, "properties": {"repobilityId": 51128, "scanner": "repobility-threat-engine", "fingerprint": "a836512ea68c67048fa5075bc2f0fb694e511eb6926c844ea48fef0eeab6e730", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 17 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "convert_to_openai_messages", "breakdown": {"if": 3, "for": 2, "elif": 1, "continue": 1, "nested_bonus": 10}, "complexity": 17, "correlation_key": "fp|a836512ea68c67048fa5075bc2f0fb694e511eb6926c844ea48fef0eeab6e730"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/next-fastapi/api/utils/prompt.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 51120, "scanner": "repobility-threat-engine", "fingerprint": "5d43839d5139b702f09807be2c1d8b14fe6fddaf96e74751e134961c289335f8", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "console.log(request.body", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d43839d5139b702f09807be2c1d8b14fe6fddaf96e74751e134961c289335f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/generate-text/openai/request-body.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 51119, "scanner": "repobility-threat-engine", "fingerprint": "65f7d84bf22d546730857dccfc93fa4b0b4372b0c42474a925394f2379a41385", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "console.log(request.body", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|65f7d84bf22d546730857dccfc93fa4b0b4372b0c42474a925394f2379a41385"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/generate-text/openai/output-object-request-body.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 51118, "scanner": "repobility-threat-engine", "fingerprint": "c82853b1bd486af4a4095639ba7ec853bbb48cfb04c8ef3bc46192de72597642", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'your-api-key-here'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c82853b1bd486af4a4095639ba7ec853bbb48cfb04c8ef3bc46192de72597642"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/generate-text/amazon-bedrock/api-key.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 51112, "scanner": "repobility-threat-engine", "fingerprint": "3f7812ad8173f3e1a2cf948b7dfbe1f992fccaa97772d583cff8868db34de8f6", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|42|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/generate-text/openai/tool-call-with-tools-context.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 51111, "scanner": "repobility-threat-engine", "fingerprint": "04f7732fcf59cada3410f3bdfa816f316ee357ad7bc8b0aec263dc906ff4ecae", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|21|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/generate-text/openai/reasoning-tools.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 51110, "scanner": "repobility-threat-engine", "fingerprint": "7879a0f5cec4d0aaed1eef6bd8dc36e266eb6b91edd119f59b3fe76be22c7d41", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|40|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/generate-text/amazon-bedrock/anthropic-multiple-tools.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 51108, "scanner": "repobility-threat-engine", "fingerprint": "b8159c6b36dfef79b2433cb35b0c38f7ec1a9bdcc1a6eca85c869e5b57ad307f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Key);\n\n        return {\n          location,\n          temperature: 72 + Math.floor(Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b8159c6b36dfef79b2433cb35b0c38f7ec1a9bdcc1a6eca85c869e5b57ad307f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/agent/openai/generate-tools-context.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 51107, "scanner": "repobility-threat-engine", "fingerprint": "fbc03f65b5a151a6093de872d17c7932fa35a1bf07a2544f80ff9006808ad44e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Key);\n\n        return {\n          location,\n          temperature: 72 + Math.floor(Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fbc03f65b5a151a6093de872d17c7932fa35a1bf07a2544f80ff9006808ad44e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/agent/openai/generate-tools-context-call-options.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 51106, "scanner": "repobility-threat-engine", "fingerprint": "459e6c98055d4aebb06c8c2beaee87c3a2b7cf11f445cc391f4650c6a91965bc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * cities.length)],\n          });\n        }\n      },\n    });\n\n  return (\n    <div", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|459e6c98055d4aebb06c8c2beaee87c3a2b7cf11f445cc391f4650c6a91965bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/chat/tools/page.tsx"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 51104, "scanner": "repobility-threat-engine", "fingerprint": "5f44f0fee054b392dbecf92a3ba543cf7f63b10b877c02718e31cd6c29ff18c7", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|15|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/chat/mcp-with-auth/page.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 51103, "scanner": "repobility-threat-engine", "fingerprint": "b7d69a5d1fffc33ebebb61cb610fb5bcb49144e74b37a60b9ab3be4601b32a6c", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|54|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/chat/mcp-apps/page.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 51102, "scanner": "repobility-threat-engine", "fingerprint": "7bb84dab8e8645149004c98817d11ba0977463b6fccfcbd0ff7bf498d7b0f43c", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a\n                  href={part.url}\n                  target=\"_blank\"\n                  className=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|31|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/chat/custom-sources/page.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 51078, "scanner": "repobility-threat-engine", "fingerprint": "4362873f2ade1e47f610223b05f0ca7ffb46d2c50076eea070d71f0feb50ecf3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url: 'https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4362873f2ade1e47f610223b05f0ca7ffb46d2c50076eea070d71f0feb50ecf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/generate-video/klingai/motion-control-v3.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 51077, "scanner": "repobility-threat-engine", "fingerprint": "2b97bd2e37c4fdba3115f52fadf1e8b491b0f72761b1b4065c57a9dd166a61de", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url: 'https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2b97bd2e37c4fdba3115f52fadf1e8b491b0f72761b1b4065c57a9dd166a61de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/generate-video/klingai/motion-control-pro.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 51076, "scanner": "repobility-threat-engine", "fingerprint": "604b22803ee95e4f12ebfdf2b52dd5287a5e48568d508f340c21d2e913e626f2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url: 'https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|604b22803ee95e4f12ebfdf2b52dd5287a5e48568d508f340c21d2e913e626f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/api/chat/custom-sources/route.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 51071, "scanner": "repobility-threat-engine", "fingerprint": "e7d7c38faae14d10ca0719c2fe93a30ca61d1a5e51f8e8bc4b04544d03f428d7", "category": "error_handling", "severity": "medium", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: documentation/example path]", "evidence": {"match": "catch (error) {}", "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: documentation/example path]", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "fp|e7d7c38faae14d10ca0719c2fe93a30ca61d1a5e51f8e8bc4b04544d03f428d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/agent/openai/apply-patch-agent.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 5971, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 5970, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 5966, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5964, "scanner": "repobility-threat-engine", "fingerprint": "77aceb0a6d466440ba0c8dda75ee09dd95290ee504bf1c32e7ea87bed77143da", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|77aceb0a6d466440ba0c8dda75ee09dd95290ee504bf1c32e7ea87bed77143da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/devtools/src/viewer/client/app.tsx"}, "region": {"startLine": 90}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5963, "scanner": "repobility-threat-engine", "fingerprint": "67cafaa8538336026d0739fea40af300e288d6aebbbe4b02dfda0873e2cc540f", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|67cafaa8538336026d0739fea40af300e288d6aebbbe4b02dfda0873e2cc540f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/devtools/src/viewer/server.ts"}, "region": {"startLine": 201}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5962, "scanner": "repobility-threat-engine", "fingerprint": "832192e0d8c3b2e09dec3bf8959bc501d2bedf2c1e84e4176b5f468b2daece8c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|832192e0d8c3b2e09dec3bf8959bc501d2bedf2c1e84e4176b5f468b2daece8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/google/src/interactions/stream-google-interactions.ts"}, "region": {"startLine": 212}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5955, "scanner": "repobility-ai-code-hygiene", "fingerprint": "12643ce770882407cc387464e2edbe9417d73d158b36e8bf97b734d0c0a3b190", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ai/src/generate-text/generate-text.test-d.ts", "duplicate_line": 98, "correlation_key": "fp|12643ce770882407cc387464e2edbe9417d73d158b36e8bf97b734d0c0a3b190"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/generate-text/stream-text.test-d.ts"}, "region": {"startLine": 195}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5954, "scanner": "repobility-ai-code-hygiene", "fingerprint": "efe73f98e6bc6085b254841ff08c712717048712302711cae3896c96c21c7ee1", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ai/src/agent/tool-loop-agent.test-d.ts", "duplicate_line": 162, "correlation_key": "fp|efe73f98e6bc6085b254841ff08c712717048712302711cae3896c96c21c7ee1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/generate-text/stream-text.test-d.ts"}, "region": {"startLine": 168}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5953, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c39278dbebc06483f76adf217417d17c4628faebcae3b9ec42856d37999f21a3", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ai/src/generate-text/generate-text-result.ts", "duplicate_line": 35, "correlation_key": "fp|c39278dbebc06483f76adf217417d17c4628faebcae3b9ec42856d37999f21a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/generate-text/step-result.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5952, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5046f816b16270316387e72bae439a944a29613117bcf814fd6e677b38f1b1a3", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ai/src/agent/tool-loop-agent.test-d.ts", "duplicate_line": 163, "correlation_key": "fp|5046f816b16270316387e72bae439a944a29613117bcf814fd6e677b38f1b1a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/generate-text/generate-text.test-d.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "CORE_NO_README", "level": "warning", "message": {"text": "No README file found"}, "properties": {"repobilityId": 5937, "scanner": "repobility-core", "fingerprint": "b55c73163757fe6b2364bb829fcd26e87b9d9e7b367dd2a3307a814b02b29cbd", "category": "documentation", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_README", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_readme"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51154, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cde27097858ce369ee65a3d9d34378919c5b6de87f9c9aeab65c1db998634644", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/amazon-bedrock/tsup.config.ts", "duplicate_line": 1, "correlation_key": "fp|cde27097858ce369ee65a3d9d34378919c5b6de87f9c9aeab65c1db998634644"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/assemblyai/tsup.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51153, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ad7a2419f12ea4e1ff483ff69927e9bec27f7455646133bb72ac9e075fd0585", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/amazon-bedrock/tsup.config.ts", "duplicate_line": 1, "correlation_key": "fp|0ad7a2419f12ea4e1ff483ff69927e9bec27f7455646133bb72ac9e075fd0585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic/tsup.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51152, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b641970d4d5ac561fb08903221546b14f8692ed0810609d9116e76142be1ccc8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/anthropic/src/tool/web-search_20250305.ts", "duplicate_line": 8, "correlation_key": "fp|b641970d4d5ac561fb08903221546b14f8692ed0810609d9116e76142be1ccc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic/src/tool/web-search_20260209.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51151, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d452fdbc0e285095443fcde459797331fbf9309cdb191b17c7b3c5f6526090a7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/anthropic/src/tool/web-fetch-20250910.ts", "duplicate_line": 19, "correlation_key": "fp|d452fdbc0e285095443fcde459797331fbf9309cdb191b17c7b3c5f6526090a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic/src/tool/web-fetch-20260209.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51150, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b59afab5952fdfc64cbe907941b3afc1b1a1c79bd5660233df41ef7c9cf60d3e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/anthropic/src/tool/text-editor_20250429.ts", "duplicate_line": 8, "correlation_key": "fp|b59afab5952fdfc64cbe907941b3afc1b1a1c79bd5660233df41ef7c9cf60d3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic/src/tool/text-editor_20250728.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51149, "scanner": "repobility-ai-code-hygiene", "fingerprint": "37fc9e98210c35bf37193353aff3a8e197a592439d5ca1c564cb071acb80df03", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/anthropic/src/tool/text-editor_20241022.ts", "duplicate_line": 8, "correlation_key": "fp|37fc9e98210c35bf37193353aff3a8e197a592439d5ca1c564cb071acb80df03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic/src/tool/text-editor_20250124.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51148, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dbf0e3b6c1c9ea2446d6ed14ced1f766ebaf262036e660e085c541c9d56d921d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/anthropic/src/tool/computer_20250124.ts", "duplicate_line": 8, "correlation_key": "fp|dbf0e3b6c1c9ea2446d6ed14ced1f766ebaf262036e660e085c541c9d56d921d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic/src/tool/computer_20251124.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51147, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7b3686ed94b415905e1a0e35e5ac06435c69cdde24a8c252c14962f974a27145", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/anthropic/src/tool/code-execution_20250522.ts", "duplicate_line": 9, "correlation_key": "fp|7b3686ed94b415905e1a0e35e5ac06435c69cdde24a8c252c14962f974a27145"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic/src/tool/code-execution_20260120.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51146, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c90cee9299de4cab8458fe60bb83e5bf4d77ece1e68a70609380b904c78753b3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/anthropic/src/tool/code-execution_20250825.ts", "duplicate_line": 8, "correlation_key": "fp|c90cee9299de4cab8458fe60bb83e5bf4d77ece1e68a70609380b904c78753b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic/src/tool/code-execution_20260120.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51145, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6dd60188c4dbf835a04c1d3d0b340ae99561cb61de852fee22dbb8c4ffcb94e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/anthropic/src/tool/code-execution_20250522.ts", "duplicate_line": 9, "correlation_key": "fp|6dd60188c4dbf835a04c1d3d0b340ae99561cb61de852fee22dbb8c4ffcb94e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic/src/tool/code-execution_20250825.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51144, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c6ef3603261e08688a5d10bce0276262c6465783e10d3e109d564b6e34db66c0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/anthropic/src/tool/bash_20241022.ts", "duplicate_line": 66, "correlation_key": "fp|c6ef3603261e08688a5d10bce0276262c6465783e10d3e109d564b6e34db66c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic/src/tool/bash_20250124.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51143, "scanner": "repobility-ai-code-hygiene", "fingerprint": "922821bbf4f7b38d651b977ed1e2291df0b877c06a692dfcb9a6ab4d349187db", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/anthropic-aws/src/anthropic-aws-provider.ts", "duplicate_line": 168, "correlation_key": "fp|922821bbf4f7b38d651b977ed1e2291df0b877c06a692dfcb9a6ab4d349187db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic/src/anthropic-provider.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51142, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ba1ac8245c283c3354d50073b126ec006c0871162004d8dfd38ae7079e6d9c0e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/amazon-bedrock/tsup.config.ts", "duplicate_line": 1, "correlation_key": "fp|ba1ac8245c283c3354d50073b126ec006c0871162004d8dfd38ae7079e6d9c0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic-aws/tsup.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51141, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7758f1592db72d0e2f1b2f639504722fadf7cd1e03b9c41b7634865908becfe0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/amazon-bedrock/src/anthropic/amazon-bedrock-anthropic-provider.ts", "duplicate_line": 104, "correlation_key": "fp|7758f1592db72d0e2f1b2f639504722fadf7cd1e03b9c41b7634865908becfe0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic-aws/src/anthropic-aws-provider.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51140, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45eece71a72f250dd4406cd56e8933fc65124bb25b629c4bbb20547a2053e943", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/amazon-bedrock/src/amazon-bedrock-provider.ts", "duplicate_line": 67, "correlation_key": "fp|45eece71a72f250dd4406cd56e8933fc65124bb25b629c4bbb20547a2053e943"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic-aws/src/anthropic-aws-provider.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51139, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d7611418c653b9ea98885e9059f750d601bb4002cb48f8f6696877d542b3544", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/amazon-bedrock/src/amazon-bedrock-sigv4-fetch.ts", "duplicate_line": 22, "correlation_key": "fp|9d7611418c653b9ea98885e9059f750d601bb4002cb48f8f6696877d542b3544"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic-aws/src/anthropic-aws-fetch.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51138, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6da4172bac59f6336895aef736b5d8a85bc86669ca6738c4117140858f3e191c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/amazon-bedrock/src/anthropic/amazon-bedrock-anthropic-provider.ts", "duplicate_line": 104, "correlation_key": "fp|6da4172bac59f6336895aef736b5d8a85bc86669ca6738c4117140858f3e191c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/amazon-bedrock/src/mantle/bedrock-mantle-provider.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51137, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8a225557d4e0b67b74c9fcd452c5f62a1ac84f07ce57e0a150a3565a5def608a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/amazon-bedrock/src/amazon-bedrock-provider.ts", "duplicate_line": 70, "correlation_key": "fp|8a225557d4e0b67b74c9fcd452c5f62a1ac84f07ce57e0a150a3565a5def608a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/amazon-bedrock/src/mantle/bedrock-mantle-provider.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51136, "scanner": "repobility-ai-code-hygiene", "fingerprint": "42242338054d6c3c4913af2adaeaed80fb7a27165e5c8e96dc185da3290cb93b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ai/src/generate-text/generate-text.test-d.ts", "duplicate_line": 153, "correlation_key": "fp|42242338054d6c3c4913af2adaeaed80fb7a27165e5c8e96dc185da3290cb93b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/generate-text/stream-text.test-d.ts"}, "region": {"startLine": 268}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51135, "scanner": "repobility-ai-code-hygiene", "fingerprint": "403b64de470498859198640c17e039f1cb69a70948a96a48843e4e769ad13d16", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ai/src/agent/tool-loop-agent.test-d.ts", "duplicate_line": 162, "correlation_key": "fp|403b64de470498859198640c17e039f1cb69a70948a96a48843e4e769ad13d16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/generate-text/stream-text.test-d.ts"}, "region": {"startLine": 241}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51134, "scanner": "repobility-ai-code-hygiene", "fingerprint": "26e9da2a9f36f66eb0747b8796f98a27ee138b34f511bdb85915f74b72af2968", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ai/src/generate-text/generate-text-result.ts", "duplicate_line": 35, "correlation_key": "fp|26e9da2a9f36f66eb0747b8796f98a27ee138b34f511bdb85915f74b72af2968"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/generate-text/step-result.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 51133, "scanner": "repobility-ai-code-hygiene", "fingerprint": "13e94e2bf7220593baa45f5821a1794ad43fcf41cf2e54f632045d53cb063c50", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ai/src/agent/tool-loop-agent.test-d.ts", "duplicate_line": 163, "correlation_key": "fp|13e94e2bf7220593baa45f5821a1794ad43fcf41cf2e54f632045d53cb063c50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/generate-text/generate-text.test-d.ts"}, "region": {"startLine": 127}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 5969, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 5968, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 5967, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5961, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4584d7daf9f039bf505324477f9b3c8e55e5326e6c1394d490503fad20a99cd5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/anthropic/src/tool/bash_20241022.test-d.ts", "duplicate_line": 37, "correlation_key": "fp|4584d7daf9f039bf505324477f9b3c8e55e5326e6c1394d490503fad20a99cd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic/src/tool/bash_20250124.test-d.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5960, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f9a9f7d8b5c4c1119abe92b3ecd53f4ff444a35ea9531081c9ba35f20671252a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/amazon-bedrock/src/anthropic/amazon-bedrock-anthropic-provider.ts", "duplicate_line": 242, "correlation_key": "fp|f9a9f7d8b5c4c1119abe92b3ecd53f4ff444a35ea9531081c9ba35f20671252a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/anthropic/src/anthropic-provider.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5959, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6542914240380b7b8a9a2b7a756dc49840dadf181ac72a50e9974502d1bf8731", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/amazon-bedrock/src/amazon-bedrock-provider.ts", "duplicate_line": 68, "correlation_key": "fp|6542914240380b7b8a9a2b7a756dc49840dadf181ac72a50e9974502d1bf8731"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/amazon-bedrock/src/anthropic/amazon-bedrock-anthropic-provider.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5958, "scanner": "repobility-ai-code-hygiene", "fingerprint": "00d14cb5569504e99a3d84bc42090e726869c364ce9eedbf1006e106a6bd2db1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/amazon-bedrock/src/amazon-bedrock-embedding-model.ts", "duplicate_line": 112, "correlation_key": "fp|00d14cb5569504e99a3d84bc42090e726869c364ce9eedbf1006e106a6bd2db1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/amazon-bedrock/src/amazon-bedrock-image-model.ts"}, "region": {"startLine": 205}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5957, "scanner": "repobility-ai-code-hygiene", "fingerprint": "46ae200ad4a1dcc801ef3adf5a059679807431790952bc25589f560247dc22e7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ai/src/ui/last-assistant-message-is-complete-with-approval-responses.ts", "duplicate_line": 3, "correlation_key": "fp|46ae200ad4a1dcc801ef3adf5a059679807431790952bc25589f560247dc22e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/ui/last-assistant-message-is-complete-with-tool-calls.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5956, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cdfcc0312672c7888c61f73236ea2a60a53275385f3bab96df0ea8e17a4df2e1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ai/src/registry/custom-provider.test-d.ts", "duplicate_line": 46, "correlation_key": "fp|cdfcc0312672c7888c61f73236ea2a60a53275385f3bab96df0ea8e17a4df2e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/registry/provider-registry.test-d.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5951, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ba137bf2232af0091662e1efbbfc25abcefd181efe511598a2209f6a4a471d7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ai/src/generate-object/generate-object.ts", "duplicate_line": 46, "correlation_key": "fp|0ba137bf2232af0091662e1efbbfc25abcefd181efe511598a2209f6a4a471d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/generate-object/stream-object.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5950, "scanner": "repobility-ai-code-hygiene", "fingerprint": "184df088320c287f7441943499eb06299f3c8d69c2bfba2dac491fed011523a8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/ai/src/embed/embed-many.ts", "duplicate_line": 52, "correlation_key": "fp|184df088320c287f7441943499eb06299f3c8d69c2bfba2dac491fed011523a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/embed/embed.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 5949, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd63f577270282c3c84c8402d0dd633fd51d667ab8e224292d61ed392df94af1", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v4", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|bd63f577270282c3c84c8402d0dd633fd51d667ab8e224292d61ed392df94af1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/provider/src/embedding-model/v4/embedding-model-v4.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 5948, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0748c4c4b407eb428bd9d1e79737506d4c9ede19ee7a2266c9dcf5143c4b855d", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v3", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|0748c4c4b407eb428bd9d1e79737506d4c9ede19ee7a2266c9dcf5143c4b855d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/provider/src/embedding-model/v3/embedding-model-v3.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 5947, "scanner": "repobility-ai-code-hygiene", "fingerprint": "35bc536b6e4dbd94b2626f276d2c194f3437c5c3bd758b5c438cfb4191f5ef41", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v2", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|35bc536b6e4dbd94b2626f276d2c194f3437c5c3bd758b5c438cfb4191f5ef41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/provider/src/embedding-model/v2/embedding-model-v2.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 5946, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c5f65ec3a27db2268c9cf3e1263696a9526acdbd6885ef5cd140600276502529", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v3", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|c5f65ec3a27db2268c9cf3e1263696a9526acdbd6885ef5cd140600276502529"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/codemod/src/codemods/v6/rename-mock-v2-to-v3.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 5945, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bcfd0eeefeaa37947355f146edf554c5b70e35ab4b68a273b1229d4a9987debf", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v3", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|bcfd0eeefeaa37947355f146edf554c5b70e35ab4b68a273b1229d4a9987debf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/codemod/src/codemods/v5/replace-zod-import-with-v3.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 5944, "scanner": "repobility-ai-code-hygiene", "fingerprint": "988de619ef6092c799459369e6a7420ce2d0b40a62ab67c900809bddd724cbbc", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v2", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|988de619ef6092c799459369e6a7420ce2d0b40a62ab67c900809bddd724cbbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/codemod/src/codemods/v5/migrate-to-data-stream-protocol-v2.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 5943, "scanner": "repobility-ai-code-hygiene", "fingerprint": "de608a00101c936877abf84011d0ebc1a6a26b88d242d692d6c6ae38b036c008", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v3", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|de608a00101c936877abf84011d0ebc1a6a26b88d242d692d6c6ae38b036c008"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/model/as-transcription-model-v3.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 5942, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70d347851b627a3b2956c534e7a3680cc5b5d3d2b1f355b19d594cba078d0251", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v3", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|70d347851b627a3b2956c534e7a3680cc5b5d3d2b1f355b19d594cba078d0251"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/model/as-speech-model-v3.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 5941, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a8f769e8002964640df7823881d4c45546e2ffe5906e129d5b1bf22c2fd0e4eb", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v3", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|a8f769e8002964640df7823881d4c45546e2ffe5906e129d5b1bf22c2fd0e4eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/model/as-provider-v3.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 5940, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8efe6712db4477284863beb6626298517a0e51740623852060c40b14201f3311", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v3", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|8efe6712db4477284863beb6626298517a0e51740623852060c40b14201f3311"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/model/as-language-model-v3.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 5939, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ade89d3380b563a50553b8451d8cdf1abf17c453862f8e33f30a47d145150acd", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v3", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ade89d3380b563a50553b8451d8cdf1abf17c453862f8e33f30a47d145150acd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/model/as-image-model-v3.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 5938, "scanner": "repobility-ai-code-hygiene", "fingerprint": "315e8733249c97cf731680c1560aa5d4c20009e16b0e861f5be0913e830af13a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v3", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|315e8733249c97cf731680c1560aa5d4c20009e16b0e861f5be0913e830af13a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ai/src/model/as-embedding-model-v3.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 51131, "scanner": "repobility-threat-engine", "fingerprint": "c646b006da8bd2230b1b1ad31657975a2722f51d606f3b84edac11c0ee8236a1", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|21|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/next-workflow/app/api/telemetry-chat/route.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 51130, "scanner": "repobility-threat-engine", "fingerprint": "759a961c6bceb370142add6f6e6389cc72af1156e19e027ed421d89b630e0c6f", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|15|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/next-workflow/app/api/chat/route.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 51129, "scanner": "repobility-threat-engine", "fingerprint": "c02798154d5422366073b1f8f665a945da2e8109d678c0f1615be0c15fdd4181", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c02798154d5422366073b1f8f665a945da2e8109d678c0f1615be0c15fdd4181"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/next-openai-kasada-bot-protection/kasada/kasada-client.tsx"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 51125, "scanner": "repobility-threat-engine", "fingerprint": "1fc25f1c9b003fa7c4d46233976daa67c3779151ab0eaaef7419196b4d28c572", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1fc25f1c9b003fa7c4d46233976daa67c3779151ab0eaaef7419196b4d28c572"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp/src/http/server.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 51124, "scanner": "repobility-threat-engine", "fingerprint": "a2abe045ac3414d6e050e7854296ed4755cc8eec69d501e00ba7567ec4fe3461", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a2abe045ac3414d6e050e7854296ed4755cc8eec69d501e00ba7567ec4fe3461"}}}, {"ruleId": "MINED024", "level": "none", "message": {"text": "[MINED024] Js Eval Usage (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 51117, "scanner": "repobility-threat-engine", "fingerprint": "1a328c557b75a493859403947c2ce2b501b4b5d3c3926d3a6ba73dad03daec56", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1a328c557b75a493859403947c2ce2b501b4b5d3c3926d3a6ba73dad03daec56", "aggregated_count": 1}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 51113, "scanner": "repobility-threat-engine", "fingerprint": "2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0"}}}, {"ruleId": "SEC087", "level": "none", "message": {"text": "[SEC087] JS: weak Math.random for crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 51109, "scanner": "repobility-threat-engine", "fingerprint": "f9e43c52f854068117e8bde7e90b7e258a8a837f5852a860af38ea90ebef014f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f9e43c52f854068117e8bde7e90b7e258a8a837f5852a860af38ea90ebef014f"}}}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 51105, "scanner": "repobility-threat-engine", "fingerprint": "be1de572e8dfca8563b4873dc72949759dd4f7533f2e1000b193ce51b81a5bba", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|be1de572e8dfca8563b4873dc72949759dd4f7533f2e1000b193ce51b81a5bba"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 91 more): Same pattern found in 91 additional files. Review if needed."}, "properties": {"repobilityId": 51101, "scanner": "repobility-threat-engine", "fingerprint": "fbd1d63595a5cccdb82fe2512a0000be3649fb62995337dbc7f927753321f307", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 91 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fbd1d63595a5cccdb82fe2512a0000be3649fb62995337dbc7f927753321f307", "aggregated_count": 91}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 51100, "scanner": "repobility-threat-engine", "fingerprint": "3ae9b24deff532cbb0ffff3ade3740e35486598f08bd38951c78b4e909169473", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3ae9b24deff532cbb0ffff3ade3740e35486598f08bd38951c78b4e909169473"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/chat/anthropic-code-execution/page.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 51099, "scanner": "repobility-threat-engine", "fingerprint": "109d54b6bedf1c3e489b4d6e79ae4dd8ca038781ff61744456fcfe856d30601c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|109d54b6bedf1c3e489b4d6e79ae4dd8ca038781ff61744456fcfe856d30601c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/chat/anthropic-code-execution-file-upload/page.tsx"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 51098, "scanner": "repobility-threat-engine", "fingerprint": "14fb93babc993b01726a990bf9e7ebb092d6d31f20b3e29231ba06187f9d99e7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|14fb93babc993b01726a990bf9e7ebb092d6d31f20b3e29231ba06187f9d99e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/chat/anthropic-advisor-tool/page.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 286 more): Same pattern found in 286 additional files. Review if needed."}, "properties": {"repobilityId": 51097, "scanner": "repobility-threat-engine", "fingerprint": "fc2faf818e9d0d4fbe05daa79408b9f557dc3e407c25ace425db43dc855e170c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 286 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fc2faf818e9d0d4fbe05daa79408b9f557dc3e407c25ace425db43dc855e170c", "aggregated_count": 286}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 51096, "scanner": "repobility-threat-engine", "fingerprint": "7afde9ba368c19f6516f443aa19b3628daed2f03e1f2b42428ae155942e7bbbd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7afde9ba368c19f6516f443aa19b3628daed2f03e1f2b42428ae155942e7bbbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/agent/openai/generate-on-step-finish.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 51095, "scanner": "repobility-threat-engine", "fingerprint": "318ba4afe75222b29fdff79b16b3d99c2b4d7a052f9df365e28cb2296151e45d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|318ba4afe75222b29fdff79b16b3d99c2b4d7a052f9df365e28cb2296151e45d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/agent/openai/generate-just-bash-sandbox-compaction.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 51094, "scanner": "repobility-threat-engine", "fingerprint": "554740d1fa36ecd0e679ff5d45485e7544fae96b1f0f7aa093f13ec776b29d96", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|554740d1fa36ecd0e679ff5d45485e7544fae96b1f0f7aa093f13ec776b29d96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/api/files/route.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 271 more): Same pattern found in 271 additional files. Review if needed."}, "properties": {"repobilityId": 51093, "scanner": "repobility-threat-engine", "fingerprint": "d7fbdb19f57d8853cff8c59eec91c0b9172c721b994f418c31273df77c6cf910", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 271 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 271 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d7fbdb19f57d8853cff8c59eec91c0b9172c721b994f418c31273df77c6cf910"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "properties": {"repobilityId": 51091, "scanner": "repobility-threat-engine", "fingerprint": "5e2766527e20fac411476d2b862dd1b322ae22e55a50062e6a0b3444674f119d", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5e2766527e20fac411476d2b862dd1b322ae22e55a50062e6a0b3444674f119d"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 51087, "scanner": "repobility-threat-engine", "fingerprint": "7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 51083, "scanner": "repobility-threat-engine", "fingerprint": "8d382f1a9011e34b41d4813c5064868da88d0861c3460c6e680d07ddd9a72035", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8d382f1a9011e34b41d4813c5064868da88d0861c3460c6e680d07ddd9a72035", "aggregated_count": 12}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 51082, "scanner": "repobility-threat-engine", "fingerprint": "0133ebc11998e80df91f420e6b4a7e16d35fd24dae691a61df50b324f5c080fe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0133ebc11998e80df91f420e6b4a7e16d35fd24dae691a61df50b324f5c080fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/generate-text/anthropic/chatbot-websearch.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 51081, "scanner": "repobility-threat-engine", "fingerprint": "53d3bfbe6ae19d6d2a54baab55a2cb60c0dfad51f57956410ca1005a839fc224", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|53d3bfbe6ae19d6d2a54baab55a2cb60c0dfad51f57956410ca1005a839fc224"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/api/chat/xai-image-edit/route.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 51080, "scanner": "repobility-threat-engine", "fingerprint": "77044225e854a20512942af16caeab8d0bb37e2c083ff6de365305a78fe95149", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|77044225e854a20512942af16caeab8d0bb37e2c083ff6de365305a78fe95149"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/api/chat/human-in-the-loop/utils.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 51079, "scanner": "repobility-threat-engine", "fingerprint": "ee421e2f5fddad0a231bf20d28a5a2a96771650d5074a7f38bbf6c1fc641897f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ee421e2f5fddad0a231bf20d28a5a2a96771650d5074a7f38bbf6c1fc641897f"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 51075, "scanner": "repobility-threat-engine", "fingerprint": "929c9e7c5a4990dde974df9a4ded5644da65cca39e6c490aced08091c49df81e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|929c9e7c5a4990dde974df9a4ded5644da65cca39e6c490aced08091c49df81e", "aggregated_count": 14}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 51074, "scanner": "repobility-threat-engine", "fingerprint": "4b11e0e529de410e9d2e78baf6d2f11f9aa9a3789894fdb34860ddbf5a489327", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4b11e0e529de410e9d2e78baf6d2f11f9aa9a3789894fdb34860ddbf5a489327"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/api/chat/mcp-elicitation/route.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 51073, "scanner": "repobility-threat-engine", "fingerprint": "f01e559a0871e0fe725081cbdf6eaa47602cf4cfb1bb352a1d2599708c101aab", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f01e559a0871e0fe725081cbdf6eaa47602cf4cfb1bb352a1d2599708c101aab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/agent/openai/shell-skills-agent.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 51072, "scanner": "repobility-threat-engine", "fingerprint": "9385254b565d07e49d35e9a3c4b92f56d0b31cb818540bcf6b55051d87a0d0cf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9385254b565d07e49d35e9a3c4b92f56d0b31cb818540bcf6b55051d87a0d0cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/agent/openai/shell-agent.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 51070, "scanner": "repobility-threat-engine", "fingerprint": "a35cd66a42bd425279dae9e13ec5afe8ff438d13c07e35a6c2ee72916adb4e92", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a35cd66a42bd425279dae9e13ec5afe8ff438d13c07e35a6c2ee72916adb4e92", "aggregated_count": 22}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 51069, "scanner": "repobility-threat-engine", "fingerprint": "cd45e2af32ceb63af1a3a05b3e40c44c4ee8f4d7195ce2d7f0310ce7069e368a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cd45e2af32ceb63af1a3a05b3e40c44c4ee8f4d7195ce2d7f0310ce7069e368a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/api/chat/mcp-with-auth/route.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 51068, "scanner": "repobility-threat-engine", "fingerprint": "074e5f03d1e7f0fc78ed153782e300393474773caab61099c8166aba0113ada9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|074e5f03d1e7f0fc78ed153782e300393474773caab61099c8166aba0113ada9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/agent/anthropic/programmatic-tool-calling-agent.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 51067, "scanner": "repobility-threat-engine", "fingerprint": "d53953485c230d7a4eaefe78575ab1bcffacbc8f6316c6a3f2eda01629ef5561", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d53953485c230d7a4eaefe78575ab1bcffacbc8f6316c6a3f2eda01629ef5561"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/agent/anthropic/code-execution-agent.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 1181 more): Same pattern found in 1181 additional files. Review if needed."}, "properties": {"repobilityId": 51066, "scanner": "repobility-threat-engine", "fingerprint": "4642eceba2298a95519fd2c86ca12da72f9ff55944e9de5c510e6e14f11397d3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1181 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4642eceba2298a95519fd2c86ca12da72f9ff55944e9de5c510e6e14f11397d3", "aggregated_count": 1181}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 51065, "scanner": "repobility-threat-engine", "fingerprint": "348ceb8af2fc5ba5d35727dfa2d952149350528104ac07b4f5edee62dbfe30c4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|348ceb8af2fc5ba5d35727dfa2d952149350528104ac07b4f5edee62dbfe30c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/actions/verify-changesets/index.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 51064, "scanner": "repobility-threat-engine", "fingerprint": "d2d9fed21fed8c92758dd0b448e7adf233addcffeb91c6ef1891602e17314652", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2d9fed21fed8c92758dd0b448e7adf233addcffeb91c6ef1891602e17314652"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/notify-released/index.mjs"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 51063, "scanner": "repobility-threat-engine", "fingerprint": "02003e038c66eca6cfa0fd2d4868ff1928f89b4bc7ddfda3a23c822ed763f3a8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|02003e038c66eca6cfa0fd2d4868ff1928f89b4bc7ddfda3a23c822ed763f3a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/cleanup-examples-changesets.mjs"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5965, "scanner": "repobility-threat-engine", "fingerprint": "0c308150a8ca990d5e336c2baa59af7cc4d2bafdafa924b2202baa56ccc1674d", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|12|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/devtools/examples/basic/tools.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/notify has no auth: Express route POST /api/notify declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 51157, "scanner": "repobility-route-auth", "fingerprint": "6ba7460cec2186df73b86aa9098fe4adfab9e24a2d40441ca4badd318b474482", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6ba7460cec2186df73b86aa9098fe4adfab9e24a2d40441ca4badd318b474482"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/devtools/src/viewer/server.ts"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/clear has no auth: Express route POST /api/clear declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 51156, "scanner": "repobility-route-auth", "fingerprint": "b8bc86fe4a0fc7fe2433540b325f2dd999a431b03d80b9e1b0273834c1ae54f8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b8bc86fe4a0fc7fe2433540b325f2dd999a431b03d80b9e1b0273834c1ae54f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/devtools/src/viewer/server.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST /api/chat has no auth: Handler `handle_chat_data` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 51155, "scanner": "repobility-route-auth", "fingerprint": "6a51e684f2b870ef56a2ee4aa343ddc881358b4c256fb3b65a72bb6cd2d3e67e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|6a51e684f2b870ef56a2ee4aa343ddc881358b4c256fb3b65a72bb6cd2d3e67e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/next-fastapi/api/index.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `stream_text` has cognitive complexity 61 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, continue=1, elif=3, else=3, for=7, if=5, nested_bonus=40, ternary=1."}, "properties": {"repobilityId": 51127, "scanner": "repobility-threat-engine", "fingerprint": "963ab9042e0e497e2215986e20b3d951447561f6172cb794973862e1256bb2e4", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 61 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "stream_text", "breakdown": {"if": 5, "for": 7, "elif": 3, "else": 3, "break": 1, "ternary": 1, "continue": 1, "nested_bonus": 40}, "complexity": 61, "correlation_key": "fp|963ab9042e0e497e2215986e20b3d951447561f6172cb794973862e1256bb2e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/next-fastapi/api/index.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 51126, "scanner": "repobility-threat-engine", "fingerprint": "01abbbb4bed89b37e7dd679aa92429eb25b524d320dc267f15340dc9efbc3126", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|01abbbb4bed89b37e7dd679aa92429eb25b524d320dc267f15340dc9efbc3126"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp/src/mcp-with-auth/client.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 51123, "scanner": "repobility-threat-engine", "fingerprint": "0991326311201877e04cc8fc6d36edac2dd24d8d71329c8792d69a057d075eec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/messages', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0991326311201877e04cc8fc6d36edac2dd24d8d71329c8792d69a057d075eec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mcp/src/elicitation-multi-step/server.ts"}, "region": {"startLine": 144}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 51122, "scanner": "repobility-threat-engine", "fingerprint": "a401b740f19d372b9c684b00b73b9c76566c0d5d55dc6a683a60fba1a9eb2c17", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/', async (req: Request, res: Response) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a401b740f19d372b9c684b00b73b9c76566c0d5d55dc6a683a60fba1a9eb2c17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/express/src/server.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 51121, "scanner": "repobility-threat-engine", "fingerprint": "5bb79ff45dd19a6e91bce10c904b6aeacf057484f08bd902eda452f4fe84d382", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/api/chat', async (req: Request, res: Response) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5bb79ff45dd19a6e91bce10c904b6aeacf057484f08bd902eda452f4fe84d382"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/angular/src/server.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 51092, "scanner": "repobility-threat-engine", "fingerprint": "9b17814cbdbe9bd7372118bef2251e1a5c593d964f24d3e4b60d4099fb74d710", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "console.log('weather tool api key:', apiKey)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|1|console.log weather tool api key: apikey", "duplicate_count": 2, "duplicate_rule_ids": ["SEC020"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["155e4c96bd6f3a3d36fa19bb9b3724d6d96b7f84984d3551447c9a1a180d2419", "36209ae46b7d6a432ef482f4baf1a33605b403bc1dc5bf86281aba723504de93", "9b17814cbdbe9bd7372118bef2251e1a5c593d964f24d3e4b60d4099fb74d710"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/agent/openai/generate-tools-context-call-options.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 51090, "scanner": "repobility-threat-engine", "fingerprint": "e42b2cb2fbbd7ef49b16ffe9e015b96faec00d955267bab92fcfc36e43145bdc", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e42b2cb2fbbd7ef49b16ffe9e015b96faec00d955267bab92fcfc36e43145bdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/api/download-container-file/openai/route.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 51089, "scanner": "repobility-threat-engine", "fingerprint": "bf531025a8775eb12a24e1589a12841460dd6d78c27191d3f31d3e9c735ec419", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bf531025a8775eb12a24e1589a12841460dd6d78c27191d3f31d3e9c735ec419"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/api/download-container-file/azure/route.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 51088, "scanner": "repobility-threat-engine", "fingerprint": "f7cb2cb82443f0c1dffeca5029d89b1ebf8182ce096d7cec3749a96432b7ea5a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f7cb2cb82443f0c1dffeca5029d89b1ebf8182ce096d7cec3749a96432b7ea5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/api/chat/mcp-with-auth/route.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 51086, "scanner": "repobility-threat-engine", "fingerprint": "aeedc3ba33c33ce2a4f1b7f0b07b2101ae838f81f0643e09c54f0a4864c759d1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "notificationsStream.update(partialOutput);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aeedc3ba33c33ce2a4f1b7f0b07b2101ae838f81f0643e09c54f0a4864c759d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/stream-object/actions.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 51085, "scanner": "repobility-threat-engine", "fingerprint": "2385c7cb5997a56c6950ca3ed1ad9e9326e8e15d6f075d0b24601f7e67796aa6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete('new');", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2385c7cb5997a56c6950ca3ed1ad9e9326e8e15d6f075d0b24601f7e67796aa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/chat/upload-file/page.tsx"}, "region": {"startLine": 117}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 51084, "scanner": "repobility-threat-engine", "fingerprint": "f49faa688ce90544b76d7698f93ffab981a79523ff627bdd37e94d041bbb8f77", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pendingElicitations.delete(id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f49faa688ce90544b76d7698f93ffab981a79523ff627bdd37e94d041bbb8f77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-e2e-next/app/api/chat/mcp-elicitation/elicitation-store.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_PR_REVIEW_REQUEST_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_PR_REVIEW_REQUEST_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 51160, "scanner": "repobility-supply-chain", "fingerprint": "b0b367a61e390a17eaa13cf22c1b2e72d41480672e2b28e5ef6723eee8af2a3f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0b367a61e390a17eaa13cf22c1b2e72d41480672e2b28e5ef6723eee8af2a3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/slack-team-review-notification.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 51159, "scanner": "repobility-supply-chain", "fingerprint": "d2f4fa7a3a498090f7f9361f67ee2317f4f51e678976e8d78125a3c17f071fd1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d2f4fa7a3a498090f7f9361f67ee2317f4f51e678976e8d78125a3c17f071fd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 225}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GR2M_PR_REVIEW_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GR2M_PR_REVIEW_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 51158, "scanner": "repobility-supply-chain", "fingerprint": "0131c07fb19ae0c16599aef4e04f5abfb117f21eeed96ae72564046d5325ffa4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0131c07fb19ae0c16599aef4e04f5abfb117f21eeed96ae72564046d5325ffa4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-merge-release-prs.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 51132, "scanner": "repobility-threat-engine", "fingerprint": "8d63e86da150bc3aa6f54014f4a1cbef53376bd22b0ba65419e74f1fd7a8e517", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8d63e86da150bc3aa6f54014f4a1cbef53376bd22b0ba65419e74f1fd7a8e517"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/next-workflow/workflow/agent-chat.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 51116, "scanner": "repobility-threat-engine", "fingerprint": "5454e24c1d45a2f02bb159bd57c8b88956b5f31e3c1b2385d718105fb4b976f3", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5454e24c1d45a2f02bb159bd57c8b88956b5f31e3c1b2385d718105fb4b976f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/generate-text/openai/tool-call-with-tools-context.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 51115, "scanner": "repobility-threat-engine", "fingerprint": "f91f7c4619553fe892b526ac99caf585976d2eddc2c587540e38c0b39a80ba0f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f91f7c4619553fe892b526ac99caf585976d2eddc2c587540e38c0b39a80ba0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/generate-text/openai/reasoning-tools.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 51114, "scanner": "repobility-threat-engine", "fingerprint": "e0138caba77a284d4b5ec138deb86dd6add1c90bcdadebeca16fee92d91b484e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0138caba77a284d4b5ec138deb86dd6add1c90bcdadebeca16fee92d91b484e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ai-functions/src/generate-text/amazon-bedrock/anthropic-multiple-tools.ts"}, "region": {"startLine": 40}}}]}]}]}