{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 36.4% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 36.4% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 36.4% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR003", "name": "Compose service `platform` image uses the latest tag", "shortDescription": {"text": "Compose service `platform` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /hook/{provider}/{workspaceId"}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /hook/{provider}/{workspaceId}/{signalId}."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/253"}, "properties": {"repository": "friday-platform/friday-studio", "repoUrl": "https://github.com/friday-platform/friday-studio", "branch": "main"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7926, "scanner": "repobility-journey-contract", "fingerprint": "b55bf74b2c1af34ce6850d41fb5229b472c9f59570e348b5773673448c4b3fcf", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/workspaces/{param}/chat", "correlation_key": "fp|b55bf74b2c1af34ce6850d41fb5229b472c9f59570e348b5773673448c4b3fcf", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/src/atlas-daemon.ts"}, "region": {"startLine": 1430}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7925, "scanner": "repobility-journey-contract", "fingerprint": "ec7b996893812114d076b6cc706e0fe3865759f57e08d8992fec4dff3dc734de", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/workspaces/{param}/chat", "correlation_key": "fp|ec7b996893812114d076b6cc706e0fe3865759f57e08d8992fec4dff3dc734de", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/src/atlas-daemon.ts"}, "region": {"startLine": 1429}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7924, "scanner": "repobility-journey-contract", "fingerprint": "15460ebbea6da9f6b57928f108f958dce8c2ccbad5923fd15c0675c7b65838bc", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/workspaces/{param}/config", "correlation_key": "fp|15460ebbea6da9f6b57928f108f958dce8c2ccbad5923fd15c0675c7b65838bc", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/src/atlas-daemon.ts"}, "region": {"startLine": 1428}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7923, "scanner": "repobility-journey-contract", "fingerprint": "68153e84b951953624bf26dc950da1abff051ee92a9dd3ee9ece2ba4f0f99ea2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/workspaces", "correlation_key": "fp|68153e84b951953624bf26dc950da1abff051ee92a9dd3ee9ece2ba4f0f99ea2", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/src/atlas-daemon.ts"}, "region": {"startLine": 1426}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7922, "scanner": "repobility-journey-contract", "fingerprint": "4f5b8404a35b633ca12c1b450001f159d87d46ad5fd6731b6c0a022786ce4d01", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/elicitations", "correlation_key": "fp|4f5b8404a35b633ca12c1b450001f159d87d46ad5fd6731b6c0a022786ce4d01", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/src/atlas-daemon.ts"}, "region": {"startLine": 694}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7921, "scanner": "repobility-journey-contract", "fingerprint": "cae291fbdc24b48409785e74af44bbdbfa2cc6a0a0ebd6cfc7b11bd876788ce6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/elicitations", "correlation_key": "fp|cae291fbdc24b48409785e74af44bbdbfa2cc6a0a0ebd6cfc7b11bd876788ce6", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/src/atlas-daemon.ts"}, "region": {"startLine": 689}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7920, "scanner": "repobility-journey-contract", "fingerprint": "315ff80c9e736ea482b681743212763bfce4953a6f0251cd65a97ad9e9b842dc", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/workspaces/{param}/config", "correlation_key": "fp|315ff80c9e736ea482b681743212763bfce4953a6f0251cd65a97ad9e9b842dc", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/workspaces/config.ts"}, "region": {"startLine": 711}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7919, "scanner": "repobility-journey-contract", "fingerprint": "32e8a297599bb9f4a702f806e19e654b6fbf78931db452f3c3420d0134c0a83b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/workspaces/{param}", "correlation_key": "fp|32e8a297599bb9f4a702f806e19e654b6fbf78931db452f3c3420d0134c0a83b", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/workspaces/cache-salt.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7918, "scanner": "repobility-journey-contract", "fingerprint": "0d7402d72935875ade83650789cb96ca942154c9afe40492581abe79b81ab7ca", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/me/stream", "correlation_key": "fp|0d7402d72935875ade83650789cb96ca942154c9afe40492581abe79b81ab7ca", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/workspace-events.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7917, "scanner": "repobility-journey-contract", "fingerprint": "e7744547f4fe603d597cd622998e8978f93163895f17da266bf7a67bdbc297eb", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/workspaces/{param}/events", "correlation_key": "fp|e7744547f4fe603d597cd622998e8978f93163895f17da266bf7a67bdbc297eb", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/workspace-events.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7916, "scanner": "repobility-journey-contract", "fingerprint": "b98edb06a63d200849ee1b72819406f7f05493ccba356ffc46c328005ce7ded5", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/link", "correlation_key": "fp|b98edb06a63d200849ee1b72819406f7f05493ccba356ffc46c328005ce7ded5", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/link.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7915, "scanner": "repobility-journey-contract", "fingerprint": "b7fe17af1036b7544e98c5f45bfa536c948f958b156f76c6ef585aff9414fe8a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/me/stream", "correlation_key": "fp|b7fe17af1036b7544e98c5f45bfa536c948f958b156f76c6ef585aff9414fe8a", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/instance-events.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7914, "scanner": "repobility-journey-contract", "fingerprint": "45f727b8841f40e181d4d3ddc08b428fa170f22877d586cd180497f258260257", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/me/stream", "correlation_key": "fp|45f727b8841f40e181d4d3ddc08b428fa170f22877d586cd180497f258260257", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/instance-events.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7913, "scanner": "repobility-journey-contract", "fingerprint": "892f4db29f95380448e3bdef11d2603dd9f1074592141ba384d87e730458b79d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/me/stream", "correlation_key": "fp|892f4db29f95380448e3bdef11d2603dd9f1074592141ba384d87e730458b79d", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/elicitations/index.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7912, "scanner": "repobility-journey-contract", "fingerprint": "3fc1179ade94c3285eeb1496a115598567edc29d8021bb4204e1e0943d8796c2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/elicitations", "correlation_key": "fp|3fc1179ade94c3285eeb1496a115598567edc29d8021bb4204e1e0943d8796c2", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/elicitations/index.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 36.4% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 7910, "scanner": "repobility-access-control", "fingerprint": "b3ca1cc0adc648928bf7067619ade00a1cd66967958132d156237626623855f7", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 11, "correlation_key": "fp|b3ca1cc0adc648928bf7067619ade00a1cd66967958132d156237626623855f7", "auth_visible_percent": 36.4}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 7909, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Chi"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `platform` image uses the latest tag"}, "properties": {"repobilityId": 7907, "scanner": "repobility-docker", "fingerprint": "3d64200c6d79ecf9fc63917a03af9d4f599843956c745c6142730cc9c108bdfd", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "friday-platform:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3d64200c6d79ecf9fc63917a03af9d4f599843956c745c6142730cc9c108bdfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 7905, "scanner": "repobility-docker", "fingerprint": "9d9e2e6d60ee85350f6b84486d31b533bcec5043362e5ae734ca7c3e10c134fa", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9d9e2e6d60ee85350f6b84486d31b533bcec5043362e5ae734ca7c3e10c134fa", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 7894, "scanner": "repobility-threat-engine", "fingerprint": "0d0c5c20937640d763055269b88981bf8b9693a6d6328a8e5f3b3a74907c336d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0d0c5c20937640d763055269b88981bf8b9693a6d6328a8e5f3b3a74907c336d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/src/sweep-agent-browser-sessions.ts"}, "region": {"startLine": 161}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 7893, "scanner": "repobility-threat-engine", "fingerprint": "f1062e115b5dc65c04e4d21d7c2b5a3dfc2d0fc937ca1d1ec460114c28316ec9", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f1062e115b5dc65c04e4d21d7c2b5a3dfc2d0fc937ca1d1ec460114c28316ec9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/src/process-agent-executor.ts"}, "region": {"startLine": 232}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 7892, "scanner": "repobility-threat-engine", "fingerprint": "30a0ffe6bc6ab694b5f59757bbaf41c423274787028c50322982d734002d6de7", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|30a0ffe6bc6ab694b5f59757bbaf41c423274787028c50322982d734002d6de7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/build-studio.ts"}, "region": {"startLine": 522}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 7891, "scanner": "repobility-agent-runtime", "fingerprint": "a9998d64e0ba36ec2eac59cd8a6ec6ad87e01d58aca8e985223fe645d89544d2", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a9998d64e0ba36ec2eac59cd8a6ec6ad87e01d58aca8e985223fe645d89544d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/config/src/permissions.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 7890, "scanner": "repobility-agent-runtime", "fingerprint": "f9a0c3753cc8002e299b34c6933e5da540a0c90d9d17d08b6ff5cbed7142ce67", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f9a0c3753cc8002e299b34c6933e5da540a0c90d9d17d08b6ff5cbed7142ce67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bundled-agents/src/web/tools/fetch.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7889, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b415f2f8df718ae7722d617129763ef7f3ef8442222e5fd9c5c66178ad9d611e", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/link/src/providers/atlassian.ts", "duplicate_line": 29, "correlation_key": "fp|b415f2f8df718ae7722d617129763ef7f3ef8442222e5fd9c5c66178ad9d611e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/link/src/providers/notion.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7888, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b47e550083b99f58aac37ae701b62166b7e33564c0935652dd740c0f870a2c30", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/link/src/providers/atlassian.ts", "duplicate_line": 12, "correlation_key": "fp|b47e550083b99f58aac37ae701b62166b7e33564c0935652dd740c0f870a2c30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/link/src/providers/linear.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7887, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3af86d1d05703163ad8eed6b50ae532d4cd1615716ac2448c34d35ae7b19ea44", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/atlasd/src/cascade-stream.ts", "duplicate_line": 234, "correlation_key": "fp|3af86d1d05703163ad8eed6b50ae532d4cd1615716ac2448c34d35ae7b19ea44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/src/signal-stream.ts"}, "region": {"startLine": 162}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7886, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cec4da74a6b9b60cd551a501068452df0a079374f8f5a9bbaab28acea9170267", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/atlasd/routes/workspaces/config.ts", "duplicate_line": 229, "correlation_key": "fp|cec4da74a6b9b60cd551a501068452df0a079374f8f5a9bbaab28acea9170267"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/workspaces/mcp.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7885, "scanner": "repobility-ai-code-hygiene", "fingerprint": "26e7a0bd5cde1b440950a27ec88428cc449221451a1bdf2d5589a948fba6dfca", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/atlasd/routes/workspaces/integrations.ts", "duplicate_line": 159, "correlation_key": "fp|26e7a0bd5cde1b440950a27ec88428cc449221451a1bdf2d5589a948fba6dfca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/workspaces/mcp.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7884, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4885a98f2e7575ae59ecf5e5c25460bb51ed77c6af2752eca11bca2b62b955f4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/atlasd/routes/workspaces/config.ts", "duplicate_line": 59, "correlation_key": "fp|4885a98f2e7575ae59ecf5e5c25460bb51ed77c6af2752eca11bca2b62b955f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/workspaces/integrations.ts"}, "region": {"startLine": 161}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7883, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6249961345b85e659d6cb994924db313a46a3d79fee28ec532c2efa12ee7a08d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/atlasd/routes/chat.ts", "duplicate_line": 75, "correlation_key": "fp|6249961345b85e659d6cb994924db313a46a3d79fee28ec532c2efa12ee7a08d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/workspaces/chat.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7882, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b425a040179e781156ddda69c4f56850a7ae23bfdb04bde0e3932162634ae48", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/atlasd/routes/artifacts.ts", "duplicate_line": 743, "correlation_key": "fp|9b425a040179e781156ddda69c4f56850a7ae23bfdb04bde0e3932162634ae48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/chunked-upload.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7881, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8cfc19d4c5abc99d120952c8b3f801ed5b9ccc20fbd4e1e50f59228e7597ec10", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/atlasd/routes/agents/expertise.ts", "duplicate_line": 19, "correlation_key": "fp|8cfc19d4c5abc99d120952c8b3f801ed5b9ccc20fbd4e1e50f59228e7597ec10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/agents/preflight.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7880, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69011caeb6540e4016d8c3f2c89b03a270756319d5823dbae948a557e7f1cb7e", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/atlasd/routes/agents/get.ts", "duplicate_line": 31, "correlation_key": "fp|69011caeb6540e4016d8c3f2c89b03a270756319d5823dbae948a557e7f1cb7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/agents/preflight.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7879, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c54e0ac2ee4523f78f4495497554aa468329fa2e079bb1feb20dd54eaafd0621", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/atlasd/routes/agents/expertise.ts", "duplicate_line": 19, "correlation_key": "fp|c54e0ac2ee4523f78f4495497554aa468329fa2e079bb1feb20dd54eaafd0621"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/agents/get.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7878, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb7436b097205ff0aa66ae2b900e272865c479df1b7263362e6ba2a91f534da5", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/atlas-cli/src/commands/session/get.tsx", "duplicate_line": 135, "correlation_key": "fp|eb7436b097205ff0aa66ae2b900e272865c479df1b7263362e6ba2a91f534da5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlas-cli/src/modules/sessions/session-list-component.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 7908, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "platform", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 7906, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 7904, "scanner": "repobility-threat-engine", "fingerprint": "7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 7903, "scanner": "repobility-threat-engine", "fingerprint": "216a688d95b139b771b482318419b2e6efe4a908538649e95440b28deaabe70d", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test' detected on same line", "evidence": {"match": "Math.random()", "reason": "Safe pattern 'test' detected on same line", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|219|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/workspaces/config.test-fixtures.ts"}, "region": {"startLine": 219}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 7902, "scanner": "repobility-threat-engine", "fingerprint": "0647f3b9e6a3c496518f0e68937cc79d868b8066125a094de6cb079f4858fc66", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|packages/utils/mod.ts|324|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/utils/mod.ts"}, "region": {"startLine": 324}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 7901, "scanner": "repobility-threat-engine", "fingerprint": "2e674b23350d078f06d01d9ebc8572328c41f6eb036c206bfa6c1452ad01d181", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|226|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/workspace/src/id-generator.ts"}, "region": {"startLine": 226}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 7899, "scanner": "repobility-threat-engine", "fingerprint": "b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 7895, "scanner": "repobility-threat-engine", "fingerprint": "0aa9dc49795a1907c3853ff388053ca770d08e8348ca7a50a7dc711483ad1ae4", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0aa9dc49795a1907c3853ff388053ca770d08e8348ca7a50a7dc711483ad1ae4"}}}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 7927, "scanner": "repobility-journey-contract", "fingerprint": "01208497a8abe6ec65cdfb9db8d0279053c67ef54df50112950e0d03f0ece937", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|137|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/studio-installer/src/steps/ApiKeys.svelte"}, "region": {"startLine": 137}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /hook/{provider}/{workspaceId}/{signalId}."}, "properties": {"repobilityId": 7911, "scanner": "repobility-access-control", "fingerprint": "7e2ecf361072d1944447d2fae8f04e94dfb365ba185a61f1777fb6c8acdb8c93", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/hook/{provider}/{workspaceId}/{signalId}", "method": "POST", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|237|cwe-639", "identity_targets": ["unknown", "owner", "super_admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/webhook-tunnel/main.go"}, "region": {"startLine": 237}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7898, "scanner": "repobility-threat-engine", "fingerprint": "3b4be997cca5cfd091fdf900a183158be646618b2f35eacfc23eb38d1bce546c", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.warn(\"telegram_no_workspace\", { tokenSuffixPresent: !!tokenSuffix })", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|21|logger.warn telegram_no_workspace tokensuffixpresent: tokensuffix"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/atlasd/routes/signals/platform.ts"}, "region": {"startLine": 216}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7897, "scanner": "repobility-threat-engine", "fingerprint": "c5e7f27be515ea805152d919dd39842e4ffad828824cc3d84f2711330c411ad5", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.error(\"OAuth token refresh failed\", { credentialId: id, error: e })", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|13|logger.error oauth token refresh failed credentialid: id error: e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/link/src/routes/oauth.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 7896, "scanner": "repobility-threat-engine", "fingerprint": "3e44e0d436c567904217b9002a3d932e926f816d56bf36119caeac412f59df59", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(`Token: <redacted>, 50)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|3|console.log token: redacted 50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/link/scripts/test-e2e.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 7900, "scanner": "repobility-threat-engine", "fingerprint": "b934742bc770981f56f2b1625bcebc5f61c5e857a3d7d24b9dfc001d92bde4f2", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://postgres:postgres@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|1|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/link/scripts/test-e2e.ts"}, "region": {"startLine": 15}}}]}]}]}