{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Parse only usage metadata by default. Redact prompts, tool arguments, file paths, and message content before storage, telemetry, export, screenshots, or support bundles."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 4 more): Same pattern found in 4 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 11 more): Same pattern found in 11 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-r", "shortDescription": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025"}, "fullDescription": {"text": "Replace with: `uses: actions/setup-node@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM node:22-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._base` used but never assigned in __init__: Method `on_memory_write` of class `AgentMemoryProvider` rea", "shortDescription": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `on_memory_write` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError th"}, "fullDescription": {"text": "Initialize `self._base = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/179"}, "properties": {"repository": "rohitg00/agentmemory", "repoUrl": "https://github.com/rohitg00/agentmemory", "branch": "main"}, "results": [{"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 40552, "scanner": "repobility-docker", "fingerprint": "e71547e57f8be64e6b0a82bc09bdf9212e5b2cfd7bf81e5628786f27973e73de", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e71547e57f8be64e6b0a82bc09bdf9212e5b2cfd7bf81e5628786f27973e73de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/render/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 40550, "scanner": "repobility-docker", "fingerprint": "1b85ecfcf08cd3b57343f8000a8907ebe1f5f3c3b657ec3025c5c63ac74caf17", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1b85ecfcf08cd3b57343f8000a8907ebe1f5f3c3b657ec3025c5c63ac74caf17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/railway/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 40548, "scanner": "repobility-docker", "fingerprint": "0b4ce1db74351c1d323e25058782e029e4c1d9547be5b4521fba85dac75705fe", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0b4ce1db74351c1d323e25058782e029e4c1d9547be5b4521fba85dac75705fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/fly/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 40546, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 40545, "scanner": "repobility-docker", "fingerprint": "10f14b965c08f0c4f18a6b78e4e80013c4cea6d0792e2cae0a3c1553427f87a3", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|10f14b965c08f0c4f18a6b78e4e80013c4cea6d0792e2cae0a3c1553427f87a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/coolify/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 40543, "scanner": "repobility-agent-runtime", "fingerprint": "501bbd455b77b176480063a2c499e109a0b4a6040345c3188ed4c206efe25fe8", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|501bbd455b77b176480063a2c499e109a0b4a6040345c3188ed4c206efe25fe8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/components/GitHubStarButton.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 40542, "scanner": "repobility-agent-runtime", "fingerprint": "196a199483000601a806549e272571d0f708498d69b2126c73cc35684edab877", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|196a199483000601a806549e272571d0f708498d69b2126c73cc35684edab877"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli.ts"}, "region": {"startLine": 120}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 40523, "scanner": "repobility-threat-engine", "fingerprint": "59745445548ab16e1ac9e39714ae9f2bd4b24294bf19b33238f0fdcdf9e23d72", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|59745445548ab16e1ac9e39714ae9f2bd4b24294bf19b33238f0fdcdf9e23d72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugin/scripts/subagent-start.mjs"}, "region": {"startLine": 42}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 40522, "scanner": "repobility-threat-engine", "fingerprint": "a364b39a1784c68b77716ad7e5532aeb8af03306ef2a014743920cc33af466ea", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a364b39a1784c68b77716ad7e5532aeb8af03306ef2a014743920cc33af466ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugin/scripts/session-start.mjs"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 40520, "scanner": "repobility-threat-engine", "fingerprint": "b61d44b1a466cd0bc0c2a96b2d5082042b95147ae627615efd3350cae9a9d93c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|91|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/functions/consolidation-pipeline.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 40519, "scanner": "repobility-threat-engine", "fingerprint": "b2faf07d115e6a19c1e19e6a57c9b15f54ac450edb1d984c6940aa9a9d77a408", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|67|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check-env-example.mjs"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 40518, "scanner": "repobility-threat-engine", "fingerprint": "5cbee4ead63d638248142df6a83d26ff53ac1f8fce9cc12f14530625ef800f51", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|22|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugin/scripts/post-commit.mjs"}, "region": {"startLine": 22}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5138, "scanner": "repobility-threat-engine", "fingerprint": "6275aa4ce219612082dfb313d7bf01ccc012d7e635e00e0dcd5b286359256a5f", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6275aa4ce219612082dfb313d7bf01ccc012d7e635e00e0dcd5b286359256a5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/eval/metrics-store.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5137, "scanner": "repobility-threat-engine", "fingerprint": "7afc234c5fbe80449234a657034fd89edc6a726054cdbc8b01ca151bc0aed4a5", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7afc234c5fbe80449234a657034fd89edc6a726054cdbc8b01ca151bc0aed4a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/subagent-start.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 5136, "scanner": "repobility-threat-engine", "fingerprint": "b06b097bd2493066ae8390973ce5cef4f788113e24e69b65c9fdc4e34e317ec0", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b06b097bd2493066ae8390973ce5cef4f788113e24e69b65c9fdc4e34e317ec0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/session-start.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 5130, "scanner": "repobility-agent-runtime", "fingerprint": "2963a736d41096b22d9883629fdc882cc47fc4c54f92841c6cabe9d95b2b3f18", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|2963a736d41096b22d9883629fdc882cc47fc4c54f92841c6cabe9d95b2b3f18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/components/GitHubStarButton.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 5129, "scanner": "repobility-agent-runtime", "fingerprint": "790d891ccfb76616532d31df6b81b7f2e28ad361d7ccec969089960473a736be", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|790d891ccfb76616532d31df6b81b7f2e28ad361d7ccec969089960473a736be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/viewer/index.html"}, "region": {"startLine": 967}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 40554, "scanner": "repobility-docker", "fingerprint": "e20532dcf33fe02ae43c3d4bd65127b9d28e139afab3417f72859198090c613a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "agentmemory", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e20532dcf33fe02ae43c3d4bd65127b9d28e139afab3417f72859198090c613a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/coolify/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 40553, "scanner": "repobility-docker", "fingerprint": "a6785ea17990bd905f826d4cc5f88f0c131265a8a64fa848e70feb8cf8d43609", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "agentmemory", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a6785ea17990bd905f826d4cc5f88f0c131265a8a64fa848e70feb8cf8d43609"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/coolify/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40541, "scanner": "repobility-ai-code-hygiene", "fingerprint": "20e34c259b1f051abdf937070ea8fdc4a2996f4f6c99bdeb50d7bc7a85ee94e9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/functions/vision-search.ts", "duplicate_line": 128, "correlation_key": "fp|20e34c259b1f051abdf937070ea8fdc4a2996f4f6c99bdeb50d7bc7a85ee94e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/state/vector-index.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40540, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d52689955ea48b0f0d3cbcb8e860835530fa52e2854a4556987f6e8730a2b16c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/providers/embedding/cohere.ts", "duplicate_line": 12, "correlation_key": "fp|d52689955ea48b0f0d3cbcb8e860835530fa52e2854a4556987f6e8730a2b16c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/providers/embedding/voyage.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40539, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc186dc8094febb0b3a7a64d91d1700818137fb2e5af461f316afd38a67fba07", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/providers/embedding/cohere.ts", "duplicate_line": 12, "correlation_key": "fp|fc186dc8094febb0b3a7a64d91d1700818137fb2e5af461f316afd38a67fba07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/providers/embedding/openrouter.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40538, "scanner": "repobility-ai-code-hygiene", "fingerprint": "139cbf5f6bc05caa778b214bd31d550df9c679e9652b10e9640e83fdbe16fc5a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/prompt-submit.ts", "duplicate_line": 15, "correlation_key": "fp|139cbf5f6bc05caa778b214bd31d550df9c679e9652b10e9640e83fdbe16fc5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/task-completed.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40537, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e6fe332a20e224df74bda581d1b06790e46d10ac6953099175ffe96e70f4e071", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/post-tool-use.ts", "duplicate_line": 14, "correlation_key": "fp|e6fe332a20e224df74bda581d1b06790e46d10ac6953099175ffe96e70f4e071"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/task-completed.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40536, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0dcefe97e5c0b4cac824f7656a6d16232488775765ac888a94653335f9b87b4c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/notification.ts", "duplicate_line": 1, "correlation_key": "fp|0dcefe97e5c0b4cac824f7656a6d16232488775765ac888a94653335f9b87b4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/task-completed.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40535, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0c78eccccb7a152d7b0a669f3a0e837b41ff5cc0d52213078394b663879b8e3f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/post-tool-use.ts", "duplicate_line": 14, "correlation_key": "fp|0c78eccccb7a152d7b0a669f3a0e837b41ff5cc0d52213078394b663879b8e3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/subagent-stop.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40534, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ec623a7e98766613d96ff2f6b8ab0ee3871d9e0dc845dc8845aea7bad79d673", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/notification.ts", "duplicate_line": 1, "correlation_key": "fp|4ec623a7e98766613d96ff2f6b8ab0ee3871d9e0dc845dc8845aea7bad79d673"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/subagent-stop.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40533, "scanner": "repobility-ai-code-hygiene", "fingerprint": "600b4088afd832c4fee908cc880348ebd5d8e989aaf97aea399a3c01f2680363", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/post-tool-use.ts", "duplicate_line": 14, "correlation_key": "fp|600b4088afd832c4fee908cc880348ebd5d8e989aaf97aea399a3c01f2680363"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/subagent-start.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40532, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ae92b582a673f7c26cefcdd5bffe1400547b13202bb01b3f401085e14dfbcce5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/notification.ts", "duplicate_line": 8, "correlation_key": "fp|ae92b582a673f7c26cefcdd5bffe1400547b13202bb01b3f401085e14dfbcce5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/subagent-start.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 40531, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e98c33a99fbef475a950e38b9c3bb9392de54324029455d9f92d0ad3cae6d1fe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/cli/connect/claude-code.ts", "duplicate_line": 8, "correlation_key": "fp|e98c33a99fbef475a950e38b9c3bb9392de54324029455d9f92d0ad3cae6d1fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/connect/codex.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 5142, "scanner": "repobility-docker", "fingerprint": "2b17be4bf6aee2718fb5df46587c8b85f72ed91b4adad5ae176965d574679dc8", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "iii-engine", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2b17be4bf6aee2718fb5df46587c8b85f72ed91b4adad5ae176965d574679dc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5128, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c4f23e9e754fef74e8b8b7bf8724692c582037ccd144fa6bf53ec8d9eece56e1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/notification.ts", "duplicate_line": 1, "correlation_key": "fp|c4f23e9e754fef74e8b8b7bf8724692c582037ccd144fa6bf53ec8d9eece56e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/stop.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5127, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a28fc95c72c99291195d4e1e00ab63ee040962ca62190e13665b3f28af29dbbe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/notification.ts", "duplicate_line": 8, "correlation_key": "fp|a28fc95c72c99291195d4e1e00ab63ee040962ca62190e13665b3f28af29dbbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/session-start.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5126, "scanner": "repobility-ai-code-hygiene", "fingerprint": "071d88df2fe4d73dd143da0ab59746287a9586a2cf8a8761571c717d21d01a4b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/prompt-submit.ts", "duplicate_line": 15, "correlation_key": "fp|071d88df2fe4d73dd143da0ab59746287a9586a2cf8a8761571c717d21d01a4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/session-end.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5125, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bf534248435380d2c06454099681bb45d9ffdd986d7b8fff267f35850b6d4058", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/post-tool-use.ts", "duplicate_line": 14, "correlation_key": "fp|bf534248435380d2c06454099681bb45d9ffdd986d7b8fff267f35850b6d4058"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/session-end.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5124, "scanner": "repobility-ai-code-hygiene", "fingerprint": "433c0dda602df40d003b1a702281c6993b0199aa3c0fe4ec2e91030fd836ab6c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/notification.ts", "duplicate_line": 1, "correlation_key": "fp|433c0dda602df40d003b1a702281c6993b0199aa3c0fe4ec2e91030fd836ab6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/session-end.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5123, "scanner": "repobility-ai-code-hygiene", "fingerprint": "54a3806e66b26371e7e880ae31b7efde6306a926eb555e77e3014b1e6dbcd02b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/post-tool-use.ts", "duplicate_line": 14, "correlation_key": "fp|54a3806e66b26371e7e880ae31b7efde6306a926eb555e77e3014b1e6dbcd02b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/prompt-submit.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5122, "scanner": "repobility-ai-code-hygiene", "fingerprint": "50c73e1f3726ddb13c8d176c4baef77b564b98193a947d8a9d572a769f3ecf63", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/notification.ts", "duplicate_line": 1, "correlation_key": "fp|50c73e1f3726ddb13c8d176c4baef77b564b98193a947d8a9d572a769f3ecf63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/prompt-submit.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5121, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6354c7427bfc022dea71b9017104429b5d34e158e77ebd2b6812318dda10c04c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/post-tool-use.ts", "duplicate_line": 14, "correlation_key": "fp|6354c7427bfc022dea71b9017104429b5d34e158e77ebd2b6812318dda10c04c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/pre-compact.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5120, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8dc2676127227c509fa7b0630b4f057a51fb6f6986ce7e6482a49af88db8ab7f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/notification.ts", "duplicate_line": 1, "correlation_key": "fp|8dc2676127227c509fa7b0630b4f057a51fb6f6986ce7e6482a49af88db8ab7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/pre-compact.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5119, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27e2daea78f6d11895043b13bca00a563a9647b2fabbbb17e1de6db588121a01", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/notification.ts", "duplicate_line": 1, "correlation_key": "fp|27e2daea78f6d11895043b13bca00a563a9647b2fabbbb17e1de6db588121a01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/post-tool-use.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5118, "scanner": "repobility-ai-code-hygiene", "fingerprint": "08eae7119d2c8a8ffc638dbcc8b6e149549b5f9f2ffa3dfb682f2f80d80e134a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/hooks/notification.ts", "duplicate_line": 1, "correlation_key": "fp|08eae7119d2c8a8ffc638dbcc8b6e149549b5f9f2ffa3dfb682f2f80d80e134a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/hooks/post-tool-failure.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 5117, "scanner": "repobility-ai-code-hygiene", "fingerprint": "85ee23ed1ca8ad17c98d42e39def6b2667a5c84b723f23fc05f2ddaafeaff04f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/eval/schemas.ts", "duplicate_line": 17, "correlation_key": "fp|85ee23ed1ca8ad17c98d42e39def6b2667a5c84b723f23fc05f2ddaafeaff04f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/functions/compress.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 40551, "scanner": "repobility-docker", "fingerprint": "f6fa4ca07514bb8c60bc5d90837bbaa199bbbc56cf04e469721bb91f195fe056", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "iiidev/iii:${III_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f6fa4ca07514bb8c60bc5d90837bbaa199bbbc56cf04e469721bb91f195fe056"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/render/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 40549, "scanner": "repobility-docker", "fingerprint": "f010561b487f4356a0bd5725f27233cc23104f6094285cf832ecc067e606a280", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "iiidev/iii:${III_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f010561b487f4356a0bd5725f27233cc23104f6094285cf832ecc067e606a280"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/railway/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 40547, "scanner": "repobility-docker", "fingerprint": "cec877c3743751d1f26e49b49552de6745344ba1bb0eeba5a591f3e68f9f1986", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "iiidev/iii:${III_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|cec877c3743751d1f26e49b49552de6745344ba1bb0eeba5a591f3e68f9f1986"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/fly/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 40544, "scanner": "repobility-docker", "fingerprint": "a7bcde3af99b367dda1528bf7e5dc05dfb1144db27edc7e677958b6300361de8", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "iiidev/iii:${III_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a7bcde3af99b367dda1528bf7e5dc05dfb1144db27edc7e677958b6300361de8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/coolify/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 40530, "scanner": "repobility-threat-engine", "fingerprint": "ac217b4d9df6a3bef36b540d125b51cd509e87c7c1063b6318146b37c204a5f5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ac217b4d9df6a3bef36b540d125b51cd509e87c7c1063b6318146b37c204a5f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/state/reranker.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 40529, "scanner": "repobility-threat-engine", "fingerprint": "fe83b56d66793b21198d0ccead618469d94f1b71f9a5e4c7220350db6ad3e755", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe83b56d66793b21198d0ccead618469d94f1b71f9a5e4c7220350db6ad3e755"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/functions/migrate.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 40528, "scanner": "repobility-threat-engine", "fingerprint": "f79b4c6ce4eb0d7d776ad2633f739e1a0f46e1ad817ef3a9572abdaf1937f71a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f79b4c6ce4eb0d7d776ad2633f739e1a0f46e1ad817ef3a9572abdaf1937f71a"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 40524, "scanner": "repobility-threat-engine", "fingerprint": "79beb8c79c8fe2afad3d97b1aaa69b9e44070a54ac39178f92cc366b51132c53", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|79beb8c79c8fe2afad3d97b1aaa69b9e44070a54ac39178f92cc366b51132c53"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 40521, "scanner": "repobility-threat-engine", "fingerprint": "c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 40517, "scanner": "repobility-threat-engine", "fingerprint": "a7c4bef93afc28f89554c959d562126ce66f08c2272c9b89907c30b58229f048", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|src/state/schema.ts|60|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/state/schema.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 40516, "scanner": "repobility-threat-engine", "fingerprint": "6f717f4c8d2d1513844ca845e36b19ea69c7565efeab28cdf8bf720eef23e945", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|integrations/pi/index.ts|122|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/pi/index.ts"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 40515, "scanner": "repobility-threat-engine", "fingerprint": "4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 40511, "scanner": "repobility-threat-engine", "fingerprint": "7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670"}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 40505, "scanner": "repobility-threat-engine", "fingerprint": "ab4e413953739492a9603b89fe5837d81408231705953ef40dcf2ebbc5b75e0c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ab4e413953739492a9603b89fe5837d81408231705953ef40dcf2ebbc5b75e0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/python/quickstart.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 40504, "scanner": "repobility-threat-engine", "fingerprint": "eed53df9158425f49245c9aed4d550cf61190d740a5daccfc21caf33257a24fb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eed53df9158425f49245c9aed4d550cf61190d740a5daccfc21caf33257a24fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/python/observe_and_recall.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 40503, "scanner": "repobility-threat-engine", "fingerprint": "b7ff9e170846d2d0bb497bb24e66c36f6ddd86f5c0b785cd674894fc4504bcbf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b7ff9e170846d2d0bb497bb24e66c36f6ddd86f5c0b785cd674894fc4504bcbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/python/observe_and_recall.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 40502, "scanner": "repobility-threat-engine", "fingerprint": "9538f1e64abc06611cb760d4cf74131bb8d1179208b0f6494ae6336a088ba74b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9538f1e64abc06611cb760d4cf74131bb8d1179208b0f6494ae6336a088ba74b", "aggregated_count": 2}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 40501, "scanner": "repobility-threat-engine", "fingerprint": "45a58bd1b3dc3c3d6b5bc7099dece986e0e936d07153b48bad767830582ad30b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|45a58bd1b3dc3c3d6b5bc7099dece986e0e936d07153b48bad767830582ad30b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/functions/smart-search.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 40500, "scanner": "repobility-threat-engine", "fingerprint": "ce86fea3735c1da9270992cd6754a677a0379081f64177a902cf2963ee0a5515", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ce86fea3735c1da9270992cd6754a677a0379081f64177a902cf2963ee0a5515"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/functions/migrate.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 40499, "scanner": "repobility-threat-engine", "fingerprint": "f3c1d8d2c6b0edba066de5cdb7e305c00f001305c8cdfca6c8721814ec7f305d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3c1d8d2c6b0edba066de5cdb7e305c00f001305c8cdfca6c8721814ec7f305d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmark/longmemeval-bench.ts"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 40498, "scanner": "repobility-threat-engine", "fingerprint": "fbfe1d7a5bb59f9e559e3cef0bd32ddb8fa0c4b8507ae15e00a98ea5edbf48c0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fbfe1d7a5bb59f9e559e3cef0bd32ddb8fa0c4b8507ae15e00a98ea5edbf48c0", "aggregated_count": 11}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40497, "scanner": "repobility-threat-engine", "fingerprint": "854dff2251dd091d2ae3832779b4ea7c6c5832418effa4b2285907e01f69314e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|854dff2251dd091d2ae3832779b4ea7c6c5832418effa4b2285907e01f69314e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/functions/auto-forget.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40496, "scanner": "repobility-threat-engine", "fingerprint": "0e21a5a030efc8f82c807c413e70d3997957ac0a05fead45ee58ea1bba82ca05", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0e21a5a030efc8f82c807c413e70d3997957ac0a05fead45ee58ea1bba82ca05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/functions/actions.ts"}, "region": {"startLine": 225}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 40495, "scanner": "repobility-threat-engine", "fingerprint": "fe0f9d5806bef358f997c96740fab38c134f5777b83922cf860758c557f5a6ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe0f9d5806bef358f997c96740fab38c134f5777b83922cf860758c557f5a6ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmark/longmemeval-bench.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 40494, "scanner": "repobility-threat-engine", "fingerprint": "ea93f5492ff921e9618c4e30a2631c7b1a2bef829e99f8007e5face821b69969", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ea93f5492ff921e9618c4e30a2631c7b1a2bef829e99f8007e5face821b69969", "aggregated_count": 6}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40493, "scanner": "repobility-threat-engine", "fingerprint": "a6bd39b22945deaf5652bcfd11353f125f810369a8dfb7863db42245102abf41", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6bd39b22945deaf5652bcfd11353f125f810369a8dfb7863db42245102abf41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eval/runner/longmemeval.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40492, "scanner": "repobility-threat-engine", "fingerprint": "608f597955262b60d5e44bd78d340e88d2bf1c4d52aec82678744f1088898575", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|608f597955262b60d5e44bd78d340e88d2bf1c4d52aec82678744f1088898575"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eval/runner/coding-life.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 40491, "scanner": "repobility-threat-engine", "fingerprint": "8ecf1b6a546b7005b2cb36cb668ec08aee352a287f9b356c1c3e11ddefb10eb9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8ecf1b6a546b7005b2cb36cb668ec08aee352a287f9b356c1c3e11ddefb10eb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmark/longmemeval-bench.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 40490, "scanner": "repobility-threat-engine", "fingerprint": "cea9866355a038634f49a33fe3675dd05bdfab113315ba4a5fc6f621944b5f4e", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|cea9866355a038634f49a33fe3675dd05bdfab113315ba4a5fc6f621944b5f4e"}}}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `iii-engine` image is selected through a build variable"}, "properties": {"repobilityId": 5141, "scanner": "repobility-docker", "fingerprint": "20c712e0c8dab9d8242ceda33f1472aa1026ddb4fc6027e1aafefc84b53f3cde", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "iiidev/iii:${AGENTMEMORY_III_VERSION:-0.11.2}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|20c712e0c8dab9d8242ceda33f1472aa1026ddb4fc6027e1aafefc84b53f3cde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 5139, "scanner": "repobility-threat-engine", "fingerprint": "55853ef45b03bf09cbc44c6f24922b8041151d72d31f01248b6f89c0cb3102d5", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|55853ef45b03bf09cbc44c6f24922b8041151d72d31f01248b6f89c0cb3102d5"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5135, "scanner": "repobility-threat-engine", "fingerprint": "d09ff8a3407afd009e6c70e89dfed5600875a64b0b6a0b6e35da13a081c3d9be", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|46|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/components/MemoryGraph.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5134, "scanner": "repobility-threat-engine", "fingerprint": "7ba7a2a67ae82a8810259598d666c302cb1d08d2424f140d4892da4b551fc809", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|92|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "website/components/LiveTerminal.tsx"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5133, "scanner": "repobility-threat-engine", "fingerprint": "2cf909b74685c30321cd1272a7b03de7768283ce589c64cbac1d9febec441abb", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|benchmark/dataset.ts|287|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmark/dataset.ts"}, "region": {"startLine": 287}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5132, "scanner": "repobility-threat-engine", "fingerprint": "8ad717d91d869355c76338573978dae0090ec7b5e1ebea6a048f616ac749352d", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "print(f\"Rendered context ({context.get('token_count', 0)", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|6|print f rendered context context.get token_count 0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/python/observe_and_recall.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 5131, "scanner": "repobility-threat-engine", "fingerprint": "b1637a7a078572976977355568095e64142f06c3e5743ad25286e6fb75ede962", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`[agentmemory] Engine: ${config.engineUrl}`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|src/index.ts|14|console.log agentmemory engine: config.engineurl"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/index.ts"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40591, "scanner": "repobility-supply-chain", "fingerprint": "38c942a3de8d95e97da364a2c562c378fe37316dd08e91f096fe8c7a754c893d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38c942a3de8d95e97da364a2c562c378fe37316dd08e91f096fe8c7a754c893d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40590, "scanner": "repobility-supply-chain", "fingerprint": "fe618e8e9c857a19ba79b5a6b9c6ebfe95373c54d74f88af1dc58899a9f84008", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe618e8e9c857a19ba79b5a6b9c6ebfe95373c54d74f88af1dc58899a9f84008"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40589, "scanner": "repobility-supply-chain", "fingerprint": "826ab12e9faac62cdfa039bdae828676942b9258ac7a3b9e982f1419820ec575", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|826ab12e9faac62cdfa039bdae828676942b9258ac7a3b9e982f1419820ec575"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 40588, "scanner": "repobility-supply-chain", "fingerprint": "e43189f67e3d40798d58145250ad0f5f5c477de86771d815492d17846aaf602c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e43189f67e3d40798d58145250ad0f5f5c477de86771d815492d17846aaf602c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 40587, "scanner": "repobility-supply-chain", "fingerprint": "1a8a62ba76d9b3bd7638f2fbdceb92becf098c09e4fadaa41be33dacb039d44d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1a8a62ba76d9b3bd7638f2fbdceb92becf098c09e4fadaa41be33dacb039d44d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/fly/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `iiidev/iii (no tag)` not pinned by digest: `FROM iiidev/iii (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 40586, "scanner": "repobility-supply-chain", "fingerprint": "bebdf4fb7fbd587b9f36046c42fc48d64e4a249fd97d38ae4eecda3725d712ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bebdf4fb7fbd587b9f36046c42fc48d64e4a249fd97d38ae4eecda3725d712ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/fly/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 40585, "scanner": "repobility-supply-chain", "fingerprint": "21723c555dc1bd6d9b5f9a34a2f08c9f053998e690f6dbec5b2be0420bba12ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21723c555dc1bd6d9b5f9a34a2f08c9f053998e690f6dbec5b2be0420bba12ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/railway/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `iiidev/iii (no tag)` not pinned by digest: `FROM iiidev/iii (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 40584, "scanner": "repobility-supply-chain", "fingerprint": "b8ea117c5b030c16d4f07670360ce2cf2f37a22e1d47deb529566679e86a24d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b8ea117c5b030c16d4f07670360ce2cf2f37a22e1d47deb529566679e86a24d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/railway/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 40583, "scanner": "repobility-supply-chain", "fingerprint": "eb198e22eb55b7a7199d6a066dd433f0b38d79746e9f322262572715846c0e87", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb198e22eb55b7a7199d6a066dd433f0b38d79746e9f322262572715846c0e87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/coolify/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `iiidev/iii (no tag)` not pinned by digest: `FROM iiidev/iii (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 40582, "scanner": "repobility-supply-chain", "fingerprint": "a2ea126559cb40e3190573650e99c6153c7f9b8f6c805f4f819552107901603f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a2ea126559cb40e3190573650e99c6153c7f9b8f6c805f4f819552107901603f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/coolify/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 40581, "scanner": "repobility-supply-chain", "fingerprint": "55f079417f4be38cc4eb955f1ca6e3a076a86326adda566a6ced7c77079a2b50", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|55f079417f4be38cc4eb955f1ca6e3a076a86326adda566a6ced7c77079a2b50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/render/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `iiidev/iii (no tag)` not pinned by digest: `FROM iiidev/iii (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 40580, "scanner": "repobility-supply-chain", "fingerprint": "144a6d81f3bf9570b686ae633e666df57b53ee5447a4867cffcfd59cdde86e12", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|144a6d81f3bf9570b686ae633e666df57b53ee5447a4867cffcfd59cdde86e12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/render/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `on_memory_write` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40579, "scanner": "repobility-ast-engine", "fingerprint": "ee5be0051ef8e08401b24553984d4c9115135d848509ab8ade24b8196dfdae2d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ee5be0051ef8e08401b24553984d4c9115135d848509ab8ade24b8196dfdae2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 373}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._session_id` used but never assigned in __init__: Method `on_pre_compress` of class `AgentMemoryProvider` reads `self._session_id`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40578, "scanner": "repobility-ast-engine", "fingerprint": "23ee4e4f0ca94e3d9b7fe6d83ed6d4ab45e30552052ee94c84072e2a9d4eb162", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|23ee4e4f0ca94e3d9b7fe6d83ed6d4ab45e30552052ee94c84072e2a9d4eb162"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 362}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._project` used but never assigned in __init__: Method `on_pre_compress` of class `AgentMemoryProvider` reads `self._project`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40577, "scanner": "repobility-ast-engine", "fingerprint": "eba1bdbf62b1b0c82fcb744963dde614f486b3daa28eecd54f318395d3763516", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eba1bdbf62b1b0c82fcb744963dde614f486b3daa28eecd54f318395d3763516"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 363}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `on_pre_compress` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40576, "scanner": "repobility-ast-engine", "fingerprint": "062caceb300e40883585daccefad451c03e931dfbc539e934f43af719fc9c888", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|062caceb300e40883585daccefad451c03e931dfbc539e934f43af719fc9c888"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 361}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._session_id` used but never assigned in __init__: Method `on_session_end` of class `AgentMemoryProvider` reads `self._session_id`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40575, "scanner": "repobility-ast-engine", "fingerprint": "bfbbc848950b2ef7268f5c079f8e652f50ff9a998e8a320ac3025138ea4ba474", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bfbbc848950b2ef7268f5c079f8e652f50ff9a998e8a320ac3025138ea4ba474"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 357}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `on_session_end` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40574, "scanner": "repobility-ast-engine", "fingerprint": "9befe452e145a004e7db0718cf0b7cb7bff96355bf24776c54bd15889245bddf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9befe452e145a004e7db0718cf0b7cb7bff96355bf24776c54bd15889245bddf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 356}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._session_id` used but never assigned in __init__: Method `sync_turn` of class `AgentMemoryProvider` reads `self._session_id`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40573, "scanner": "repobility-ast-engine", "fingerprint": "55560fd21c92ea677efe1a60d730894b21c187023c51b124e3b0e2a4e66efcae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|55560fd21c92ea677efe1a60d730894b21c187023c51b124e3b0e2a4e66efcae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 344}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._project` used but never assigned in __init__: Method `sync_turn` of class `AgentMemoryProvider` reads `self._project`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40572, "scanner": "repobility-ast-engine", "fingerprint": "cf1cc4828d2cb0eb0998243a67977daf93294cc43154fdd1818110829e531d73", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cf1cc4828d2cb0eb0998243a67977daf93294cc43154fdd1818110829e531d73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 346}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._project` used but never assigned in __init__: Method `sync_turn` of class `AgentMemoryProvider` reads `self._project`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40571, "scanner": "repobility-ast-engine", "fingerprint": "5813004884129f8528bcc58dbfac50746234a7ad520a5b1968dd290edf2046fe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5813004884129f8528bcc58dbfac50746234a7ad520a5b1968dd290edf2046fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 345}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `sync_turn` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40570, "scanner": "repobility-ast-engine", "fingerprint": "9b255affa997d738e347e3fdcb7701f25ba904b1d44ef65e5538e6546927d219", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9b255affa997d738e347e3fdcb7701f25ba904b1d44ef65e5538e6546927d219"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 342}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `handle_tool_call` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40569, "scanner": "repobility-ast-engine", "fingerprint": "c89b1520d74391be59ab11a31b0368516e335ed8d74179f4097e3ee1e836f485", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c89b1520d74391be59ab11a31b0368516e335ed8d74179f4097e3ee1e836f485"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 323}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `handle_tool_call` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40568, "scanner": "repobility-ast-engine", "fingerprint": "78e50f4c6d6886d3486244f08001fc08782057f9c4060c0d816292cb40c28fd2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|78e50f4c6d6886d3486244f08001fc08782057f9c4060c0d816292cb40c28fd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 316}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `handle_tool_call` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40567, "scanner": "repobility-ast-engine", "fingerprint": "53f86e9b673f54664749eb55b8067646335d008ce383806604416644f5e95ac5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|53f86e9b673f54664749eb55b8067646335d008ce383806604416644f5e95ac5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 297}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `queue_prefetch` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40566, "scanner": "repobility-ast-engine", "fingerprint": "df2ce097c1d9672f311909da4ad6aee324adb8276724c9774487ff615b8474fe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|df2ce097c1d9672f311909da4ad6aee324adb8276724c9774487ff615b8474fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 244}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `prefetch` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40565, "scanner": "repobility-ast-engine", "fingerprint": "5d5a4fa85f9921d9ff9af855f1a7a321d67ea7b087980f9037b940939a66b8d6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5d5a4fa85f9921d9ff9af855f1a7a321d67ea7b087980f9037b940939a66b8d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 227}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._project` used but never assigned in __init__: Method `system_prompt_block` of class `AgentMemoryProvider` reads `self._project`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40564, "scanner": "repobility-ast-engine", "fingerprint": "0f41515e5c97fbbe8cb0f909881c54ef982d53dc5e9abf805593d687a17cd170", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0f41515e5c97fbbe8cb0f909881c54ef982d53dc5e9abf805593d687a17cd170"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._session_id` used but never assigned in __init__: Method `system_prompt_block` of class `AgentMemoryProvider` reads `self._session_id`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40563, "scanner": "repobility-ast-engine", "fingerprint": "7a471808478aeb714ff3b4d273dc831e029bdc1b3e866fe00b7419b6b73b062c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a471808478aeb714ff3b4d273dc831e029bdc1b3e866fe00b7419b6b73b062c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 219}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `system_prompt_block` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40562, "scanner": "repobility-ast-engine", "fingerprint": "a2c30623d1146843c3bb4b2f6b3d4ebc761dffb85af5803dc70ae417ae0c9cbc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a2c30623d1146843c3bb4b2f6b3d4ebc761dffb85af5803dc70ae417ae0c9cbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._project` used but never assigned in __init__: Method `initialize` of class `AgentMemoryProvider` reads `self._project`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40561, "scanner": "repobility-ast-engine", "fingerprint": "69a62f0e98da2cbea8e4468ab0644a919f0f5d3606c638767f4b427e2a5e0d59", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|69a62f0e98da2cbea8e4468ab0644a919f0f5d3606c638767f4b427e2a5e0d59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._project` used but never assigned in __init__: Method `initialize` of class `AgentMemoryProvider` reads `self._project`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40560, "scanner": "repobility-ast-engine", "fingerprint": "27fb6748626273f8fc59a06343f633426933247445da0793e5aa9b907dc43348", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|27fb6748626273f8fc59a06343f633426933247445da0793e5aa9b907dc43348"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `initialize` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40559, "scanner": "repobility-ast-engine", "fingerprint": "00647c500e451eb43a22c9f78fde6758c5974f62c25b4813d22498b7d69f0a36", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|00647c500e451eb43a22c9f78fde6758c5974f62c25b4813d22498b7d69f0a36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `initialize` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40558, "scanner": "repobility-ast-engine", "fingerprint": "51417259ca870274a8ac40d54a7608a110d744bec37cf77b006fdf811ea33d80", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|51417259ca870274a8ac40d54a7608a110d744bec37cf77b006fdf811ea33d80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._project` used but never assigned in __init__: Method `initialize` of class `AgentMemoryProvider` reads `self._project`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40557, "scanner": "repobility-ast-engine", "fingerprint": "6848a7d268d71a95fc11a2ead48b74ad6af50b5e07f47842860af462bd6d5852", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6848a7d268d71a95fc11a2ead48b74ad6af50b5e07f47842860af462bd6d5852"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._session_id` used but never assigned in __init__: Method `initialize` of class `AgentMemoryProvider` reads `self._session_id`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40556, "scanner": "repobility-ast-engine", "fingerprint": "a950d4e9472a0f2a9516b333152b58a4d606a30906ef6cad933d1be21607bb1e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a950d4e9472a0f2a9516b333152b58a4d606a30906ef6cad933d1be21607bb1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._base` used but never assigned in __init__: Method `initialize` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 40555, "scanner": "repobility-ast-engine", "fingerprint": "eefb5e482b21d3688d4a8e71544f33d9d7d135181449d986c2d6c44243ae4db4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eefb5e482b21d3688d4a8e71544f33d9d7d135181449d986c2d6c44243ae4db4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/hermes/__init__.py"}, "region": {"startLine": 184}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 40527, "scanner": "repobility-threat-engine", "fingerprint": "69a10821329a271b523f1f94b7f595c8d0e0c25fb43ec6b9ee5c322bf5bb66c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(xml", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|69a10821329a271b523f1f94b7f595c8d0e0c25fb43ec6b9ee5c322bf5bb66c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/functions/graph.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 40526, "scanner": "repobility-threat-engine", "fingerprint": "208c588592c21401def6fcebc927b19f25729958a850faceefb4fae025a625cd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(response", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|208c588592c21401def6fcebc927b19f25729958a850faceefb4fae025a625cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/functions/consolidation-pipeline.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 40525, "scanner": "repobility-threat-engine", "fingerprint": "00ffc13fb223846fc8ac639cea122777e8912574146ed37bb67264e08641e381", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|00ffc13fb223846fc8ac639cea122777e8912574146ed37bb67264e08641e381"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check-env-example.mjs"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40514, "scanner": "repobility-threat-engine", "fingerprint": "8b10cb08cd557dc246cb3670dcd466b05a1ca4214d8b6c76471732104efaadb5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8b10cb08cd557dc246cb3670dcd466b05a1ca4214d8b6c76471732104efaadb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/pi/security.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40513, "scanner": "repobility-threat-engine", "fingerprint": "9a9ab2ecfc062624eb746faa3220730f213f78b1a5a88e8a697b522a0dc1d7e0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9a9ab2ecfc062624eb746faa3220730f213f78b1a5a88e8a697b522a0dc1d7e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/pi/index.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 40512, "scanner": "repobility-threat-engine", "fingerprint": "b2e0ca16ea2e7b6fe82330016fceb84ce37102447e82d93e490a9b55363269b3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b2e0ca16ea2e7b6fe82330016fceb84ce37102447e82d93e490a9b55363269b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/openclaw/plugin.mjs"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 40510, "scanner": "repobility-threat-engine", "fingerprint": "474f1a7ef2e385033c78bc96aef55c89625df5717ac4d35c3293e504f9109322", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pathTo.delete(startNode.id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|474f1a7ef2e385033c78bc96aef55c89625df5717ac4d35c3293e504f9109322"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/functions/graph-retrieval.ts"}, "region": {"startLine": 302}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 40509, "scanner": "repobility-threat-engine", "fingerprint": "7743dba660e2349fa7d0b25f30868cdf83e633c2609b41596c69bfca2b63be3f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.entries.delete(hash);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7743dba660e2349fa7d0b25f30868cdf83e633c2609b41596c69bfca2b63be3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/functions/dedup.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 40508, "scanner": "repobility-threat-engine", "fingerprint": "9f696245fbd53a840cb5c87a2aa847edcde80c8875701d5c7b5ae48be2b6fc83", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.pendingByPath.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9f696245fbd53a840cb5c87a2aa847edcde80c8875701d5c7b5ae48be2b6fc83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/filesystem-watcher/watcher.mjs"}, "region": {"startLine": 187}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 40507, "scanner": "repobility-threat-engine", "fingerprint": "eff76a3644ceaff79b342d1c0ca780c5ab7a8b59a8ac2b56ca60077f05aee265", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(source", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eff76a3644ceaff79b342d1c0ca780c5ab7a8b59a8ac2b56ca60077f05aee265"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/functions/privacy.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 40506, "scanner": "repobility-threat-engine", "fingerprint": "287425f77bd06611c3166468cba9bd18218eec6c6ad08011c21357ad9f77726b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|287425f77bd06611c3166468cba9bd18218eec6c6ad08011c21357ad9f77726b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/filesystem-watcher/watcher.mjs"}, "region": {"startLine": 305}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 40489, "scanner": "repobility-threat-engine", "fingerprint": "9f0de6408ec278dc98a87078dd988f0acc329008d5f01164742b39e96c381548", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((a) => `  agentmemory connect ${a}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9f0de6408ec278dc98a87078dd988f0acc329008d5f01164742b39e96c381548"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/onboarding.ts"}, "region": {"startLine": 254}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 40488, "scanner": "repobility-threat-engine", "fingerprint": "914347dfc43cc165bb7b9fcc7fb72db76ad4169652810d5b3f9b58e3547bb717", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((t) => `[${t.role}] ${t.content}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|914347dfc43cc165bb7b9fcc7fb72db76ad4169652810d5b3f9b58e3547bb717"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eval/runner/load.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 40487, "scanner": "repobility-threat-engine", "fingerprint": "3f9df9995a550973c9deb52415ad448d17f3f85c285722b84e8373327947a61b", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((t) => `${t.role}: ${t.content}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3f9df9995a550973c9deb52415ad448d17f3f85c285722b84e8373327947a61b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmark/longmemeval-bench.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 5140, "scanner": "repobility-docker", "fingerprint": "c279e25827bbf71f70cf6e362108efb1f9086790c14d5c2d149d6da44b1d0a22", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "iii-init", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c279e25827bbf71f70cf6e362108efb1f9086790c14d5c2d149d6da44b1d0a22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 7}}}]}]}]}