{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/322"}, "properties": {"repository": "esengine/DeepSeek-Reasonix", "repoUrl": "https://github.com/esengine/DeepSeek-Reasonix", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 10189, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 10188, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 10184, "scanner": "repobility-threat-engine", "fingerprint": "9376ea1fd56e12b6627231db5c54162a1f77719d0748fae18c0644095f25d2d1", "category": "error_handling", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": "Pattern matched with no mitigating context found | [R34-retro auto-suppress: documentation/example path]", "evidence": {"match": ".catch(()=>{})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9376ea1fd56e12b6627231db5c54162a1f77719d0748fae18c0644095f25d2d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/config.jsx"}, "region": {"startLine": 305}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 10183, "scanner": "repobility-threat-engine", "fingerprint": "629ed659c654ebecf3b22b3acca5c46ed90a4e7affc2e56c5d89915d8d545bf0", "category": "error_handling", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": "Pattern matched with no mitigating context found | [R34-retro auto-suppress: setup/install wizard (placeholder values)]", "evidence": {"match": ".catch(()=>{})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|629ed659c654ebecf3b22b3acca5c46ed90a4e7affc2e56c5d89915d8d545bf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/install.jsx"}, "region": {"startLine": 6}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 10182, "scanner": "repobility-threat-engine", "fingerprint": "770853e4c5d73e23f3793b750b059a5410f375c78b4987a952856fd0abc38942", "category": "error_handling", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": "Pattern matched with no mitigating context found | [R34-retro auto-suppress: documentation/example path]", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|770853e4c5d73e23f3793b750b059a5410f375c78b4987a952856fd0abc38942"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/community.jsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 10176, "scanner": "repobility-threat-engine", "fingerprint": "2ddb7a27acaecc0105b22ce8f071e536d96a5f50fa34cd7a41572438b6c255ad", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|426|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/ui/slash/commands.ts"}, "region": {"startLine": 426}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 10175, "scanner": "repobility-threat-engine", "fingerprint": "856e030523d0125f4c6c1ed2314e81f7aabf4c386f9616c1154e2ad7ef3774ab", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|458|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/panels/chat.ts"}, "region": {"startLine": 458}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 10174, "scanner": "repobility-threat-engine", "fingerprint": "e89aa39e93fd09e21dadcaf4ed3c9b831ed543e1e5d601d5693f5b6e880dfb97", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|src/at-mentions.ts|364|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/at-mentions.ts"}, "region": {"startLine": 364}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 10168, "scanner": "repobility-agent-runtime", "fingerprint": "8e6a3cd95852450a5610bf8ac6307afa2398a9a8206e0e43d3e57803307712e3", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8e6a3cd95852450a5610bf8ac6307afa2398a9a8206e0e43d3e57803307712e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/index.ts"}, "region": {"startLine": 370}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10167, "scanner": "repobility-agent-runtime", "fingerprint": "d6a250b10fa39ee9fc8f6fef0eab8cc396e51ccc05f667a300c57130a92d732c", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|d6a250b10fa39ee9fc8f6fef0eab8cc396e51ccc05f667a300c57130a92d732c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/i18n.jsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10166, "scanner": "repobility-agent-runtime", "fingerprint": "ba49e8440aad20436bfb3192ed358527d3590de2497410d9119e3629a37cf5c3", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|ba49e8440aad20436bfb3192ed358527d3590de2497410d9119e3629a37cf5c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/i18n.js"}, "region": {"startLine": 386}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10165, "scanner": "repobility-agent-runtime", "fingerprint": "ee38a4411e5d43e36ecd7d08ebd8e0dd7ecf4055e0e5746b4ebd813896044e14", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|ee38a4411e5d43e36ecd7d08ebd8e0dd7ecf4055e0e5746b4ebd813896044e14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/i18n/index.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 10164, "scanner": "repobility-agent-runtime", "fingerprint": "da5636a78eade32d827828ebc3986f53007008c4ac9965bf29ca5cda3020cdaf", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|da5636a78eade32d827828ebc3986f53007008c4ac9965bf29ca5cda3020cdaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/panels/semantic.ts"}, "region": {"startLine": 463}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10163, "scanner": "repobility-agent-runtime", "fingerprint": "0ba89e2e05085bd45c85fbc9cc6b9bc510f68902986f2e44f3862aa253dbc68e", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|0ba89e2e05085bd45c85fbc9cc6b9bc510f68902986f2e44f3862aa253dbc68e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/panels/chat.ts"}, "region": {"startLine": 138}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10162, "scanner": "repobility-agent-runtime", "fingerprint": "dff63d8ebcf02947d0bd749f401b5a527f507291345a6dcfac4da076b8e757aa", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|dff63d8ebcf02947d0bd749f401b5a527f507291345a6dcfac4da076b8e757aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/lib/i18n.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10161, "scanner": "repobility-agent-runtime", "fingerprint": "6a6214221b6d4bf2a2dbfe9ddda002569a541705cd329f868fdc706dab153a59", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|6a6214221b6d4bf2a2dbfe9ddda002569a541705cd329f868fdc706dab153a59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/app.js"}, "region": {"startLine": 87}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 10160, "scanner": "repobility-agent-runtime", "fingerprint": "89244ebdf9c69cf4333d7c7927908ca4dcc21cc106e8de6f1291c57f3be4bfa6", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|89244ebdf9c69cf4333d7c7927908ca4dcc21cc106e8de6f1291c57f3be4bfa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CHANGELOG.md"}, "region": {"startLine": 122}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10159, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e9523f402c9033a3ea1d4a5fa87eaf86e8d654512e92182844e5608bff7665b", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/server/api/memory.ts", "duplicate_line": 29, "correlation_key": "fp|5e9523f402c9033a3ea1d4a5fa87eaf86e8d654512e92182844e5608bff7665b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/api/skills.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10158, "scanner": "repobility-ai-code-hygiene", "fingerprint": "98569950892ccf3965455b61bf3fc658e4de967e69949379b6ce35a4c37df4fa", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/server/api/files.ts", "duplicate_line": 7, "correlation_key": "fp|98569950892ccf3965455b61bf3fc658e4de967e69949379b6ce35a4c37df4fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/api/project-tree.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10157, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a45a4cd6b444a38c11d8918ea10efa58cc7e96033cfadda277433aa52bdf7120", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/server/api/checkpoint-delete.ts", "duplicate_line": 5, "correlation_key": "fp|a45a4cd6b444a38c11d8918ea10efa58cc7e96033cfadda277433aa52bdf7120"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/api/checkpoint-restore.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10156, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b5604d42e80c017c559ef6af7bddf840556ffb87e8d99587df4f0fa4b095691b", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/acp/protocol.ts", "duplicate_line": 2, "correlation_key": "fp|b5604d42e80c017c559ef6af7bddf840556ffb87e8d99587df4f0fa4b095691b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mcp/types.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10155, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c139f1a9dbc6308e75feed08d543fce6bf63f57da8732c9427a281400562e65a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/mcp/sse.ts", "duplicate_line": 42, "correlation_key": "fp|c139f1a9dbc6308e75feed08d543fce6bf63f57da8732c9427a281400562e65a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mcp/streamable-http.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10154, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7e1e207949d96770c6bde1796fd93bad04034da2100080be61a4893654569872", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/cli/ui/PromptInput.tsx", "duplicate_line": 559, "correlation_key": "fp|7e1e207949d96770c6bde1796fd93bad04034da2100080be61a4893654569872"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/ui/prompt-viewport.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10153, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5810e4f78289214e216c4556fe822934e0ede6bf566e1b95c1d3dd4f4a6fde26", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/cli/ui/PathConfirm.tsx", "duplicate_line": 121, "correlation_key": "fp|5810e4f78289214e216c4556fe822934e0ede6bf566e1b95c1d3dd4f4a6fde26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/ui/ShellConfirm.tsx"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10152, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3d1cb17ee00dfe187e1f3b5f9d93d1b3b992ae78dbc3799660b142f647d884fb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/cli/ui/DiffApp.tsx", "duplicate_line": 21, "correlation_key": "fp|3d1cb17ee00dfe187e1f3b5f9d93d1b3b992ae78dbc3799660b142f647d884fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/ui/ReplayApp.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10151, "scanner": "repobility-ai-code-hygiene", "fingerprint": "31c5bc75da004ee97c3585b3bb2440c788ea62ffbf08faa0d95f2774d2f8af72", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/cli/commands/mcp-browse.tsx", "duplicate_line": 20, "correlation_key": "fp|31c5bc75da004ee97c3585b3bb2440c788ea62ffbf08faa0d95f2774d2f8af72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/ui/McpMarketplace.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10150, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e4e1702c4f6a5e12d0889586851066f276cdf291c382c6e933634f5f8ec29b7f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/cli/commands/acp.ts", "duplicate_line": 103, "correlation_key": "fp|e4e1702c4f6a5e12d0889586851066f276cdf291c382c6e933634f5f8ec29b7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/commands/run.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10149, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43861d38711fde508168309e73e246f6e3a537bd7f6cb2587dadbfcb2302a178", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/perf/profile-tui-streaming.tsx", "duplicate_line": 3, "correlation_key": "fp|43861d38711fde508168309e73e246f6e3a537bd7f6cb2587dadbfcb2302a178"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/perf/profile-tui-sync.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 10187, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 10186, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 10179, "scanner": "repobility-threat-engine", "fingerprint": "caac2e81a7c2d1507dc94a8e9a2ab3a14f58a7c6bd8cf926ef57b5edb02a5bb8", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = f", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|docs/i18n.js|470|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/i18n.js"}, "region": {"startLine": 470}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 10178, "scanner": "repobility-threat-engine", "fingerprint": "d81b083143d938b828457939b0142a77c9267afa62acf4235fcb3e762fbb6609", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = d", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|docs/arch-i18n.js|255|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/arch-i18n.js"}, "region": {"startLine": 255}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 10177, "scanner": "repobility-threat-engine", "fingerprint": "763d2cba31c4a2c5687d540cf136126ae5459507d00d39d5eb0c020e659f66bd", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = d", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|docs/cli-ref-i18n.js|131|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/cli-ref-i18n.js"}, "region": {"startLine": 131}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 10148, "scanner": "repobility-ai-code-hygiene", "fingerprint": "10b963226e2e25a77ec81e1600d5e92dcfc3bb9e6b1f28a640d65503d97664dc", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "final", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|10b963226e2e25a77ec81e1600d5e92dcfc3bb9e6b1f28a640d65503d97664dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/ui/hooks/handle-assistant-final.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 10185, "scanner": "repobility-threat-engine", "fingerprint": "60d6be488fc9792b7c544c84123a75cbfde5e34988a54174c40e3a6c52f2694e", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|60d6be488fc9792b7c544c84123a75cbfde5e34988a54174c40e3a6c52f2694e"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 10181, "scanner": "repobility-threat-engine", "fingerprint": "d597c038bd1448681c294681988de7e2b7e9c7c6c278ae6cbd1594c503e55a3c", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error(\"DEEPSEEK_API_KEY not set in env. Add it to .env and re-run.\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|12|console.error deepseek_api_key not set in env. add it to .env and re-run."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/spike-mcp-reconnect/runner.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 10180, "scanner": "repobility-threat-engine", "fingerprint": "d62afa18f06a325cee859bfc8963ff1f72b12cc2df69d78422fa7b9f881be030", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d62afa18f06a325cee859bfc8963ff1f72b12cc2df69d78422fa7b9f881be030"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 10173, "scanner": "repobility-threat-engine", "fingerprint": "9375baefc0ced02fd3d7e2992e6c7895a26c4bebc8685b2aa8bfeb0351b3d42e", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9375baefc0ced02fd3d7e2992e6c7895a26c4bebc8685b2aa8bfeb0351b3d42e"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10172, "scanner": "repobility-threat-engine", "fingerprint": "34654f0b0de046b0148abbb652b39eb180531b92ae639b6789cd38d376ea5f0a", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|src/code/checkpoints.ts|113|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/code/checkpoints.ts"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10171, "scanner": "repobility-threat-engine", "fingerprint": "2fe2f80ae4b65bc9d990345a0f1e87eb471ad22fb109292651080ac5ce613706", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|desktop/src/app.tsx|1336|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "desktop/src/App.tsx"}, "region": {"startLine": 1336}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10170, "scanner": "repobility-threat-engine", "fingerprint": "bc283187cd19f25dc4bf73ea561905993b908c674c2c34a4d7bf6c2b2eb9243d", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|docs/src/hero.jsx|57|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/hero.jsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC002", "level": "error", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 10169, "scanner": "repobility-threat-engine", "fingerprint": "480aeb4c44a97409dcd00c588d090fc41a26bb30c11a3ecb20a1280bb4ff00ef", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.0 bits) \u2014 likely real secret", "evidence": {"match": "API_KEY = \"<redacted>\"", "reason": "High entropy value (4.0 bits) \u2014 likely real secret", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|src/config.ts|21|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/config.ts"}, "region": {"startLine": 213}}}]}]}]}