{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `if (!owner) return false;` has no version pin: Unpinned pip requirement means every fresh ", "shortDescription": {"text": "[MINED124] requirements.txt: `if (!owner) return false;` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). "}, "fullDescription": {"text": "Replace `if (!owner) return false;` with `if (!owner) return false;==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /up"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /session/manage/route"}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 14.5% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 14.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `_close_issues` has cognitive complexity 9 (SonarSource scale). Cognitive ", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `_close_issues` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 9."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 24 more): Same pattern found in 24 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 35 more): Same pattern found in 35 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 49 more): Same pattern found in 49 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 49 more): Same pattern found in 49 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 31 more): Same pattern found in 31 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 53 more): Same pattern found in 53 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 53 more): Same pattern found in 53 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 52 more): Same pattern found in 52 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 45 more): Same pattern found in 45 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 45 more): Same pattern found in 45 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 62 more): Same pattern found in 62 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 62 more): Same pattern found in 62 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `ghcr.io/open-gsd/gsd-ci-builder:latest` unpinned: `container/services imag", "shortDescription": {"text": "[MINED126] Workflow container/services image `ghcr.io/open-gsd/gsd-ci-builder:latest` unpinned: `container/services image: ghcr.io/open-gsd/gsd-ci-builder:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflo"}, "fullDescription": {"text": "Replace with `ghcr.io/open-gsd/gsd-ci-builder:latest@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run", "shortDescription": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) "}, "fullDescription": {"text": "Replace with: `uses: pnpm/action-setup@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:24-bookworm-slim` not pinned by digest: `FROM node:24-bookworm-slim` resolves the tag a", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:24-bookworm-slim` not pinned by digest: `FROM node:24-bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Prod"}, "fullDescription": {"text": "Replace with: `FROM node:24-bookworm-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `@opengsd/contracts` pulled from URL/Git: `dependencies.@opengsd/contracts` = `file:../packa", "shortDescription": {"text": "[MINED122] package.json dep `@opengsd/contracts` pulled from URL/Git: `dependencies.@opengsd/contracts` = `file:../packages/contracts` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL o"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_preserves_non_status_labels` of class `T", "shortDescription": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_preserves_non_status_labels` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). T"}, "fullDescription": {"text": "Initialize `self._setup_repo = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC092", "name": "[SEC092] Go: SQL via fmt.Sprintf or string concat: SQL query constructed via Sprintf or `+` enables SQL injection. Porte", "shortDescription": {"text": "[SEC092] Go: SQL via fmt.Sprintf or string concat: SQL query constructed via Sprintf or `+` enables SQL injection. Ported from gosec G201 / G202 (Apache-2.0)."}, "fullDescription": {"text": "Use placeholders: `db.Query(\"SELECT ... WHERE id = ?\", userID)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED031", "name": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.", "shortDescription": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1145"}, "properties": {"repository": "open-gsd/gsd-pi", "repoUrl": "https://github.com/open-gsd/gsd-pi", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `if (!owner) return false;` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114410, "scanner": "repobility-supply-chain", "fingerprint": "7d8328b7f19bb42dd12951a4433c99c3b1e1222b3f740d5338db8ee7b43d66f1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d8328b7f19bb42dd12951a4433c99c3b1e1222b3f740d5338db8ee7b43d66f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `const owner = (primaryOwner ?? \"\").trim();` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114409, "scanner": "repobility-supply-chain", "fingerprint": "1aab314f9531d6bb76c21298e600de83267f2961a8f687f9a8290e15fe4fc2df", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1aab314f9531d6bb76c21298e600de83267f2961a8f687f9a8290e15fe4fc2df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `export function isRequirementMappedToSlice(primaryOwner: string | null | undefined): boolean {` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114408, "scanner": "repobility-supply-chain", "fingerprint": "fd4de41efd19061a60510ca1bb2293b24c9682f3a3c036933472f619957d014b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd4de41efd19061a60510ca1bb2293b24c9682f3a3c036933472f619957d014b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `/** True when primary_owner names a concrete slice (`M###/S##`). */` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114407, "scanner": "repobility-supply-chain", "fingerprint": "e56e7290ac1c384a60b993d441d84840bf7490393a68961678ab349c1792bb3b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e56e7290ac1c384a60b993d441d84840bf7490393a68961678ab349c1792bb3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `}` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114406, "scanner": "repobility-supply-chain", "fingerprint": "601032d569eb84f2482f46d2e97f07a881c3b3ad33017635c7354c320ed5c0e7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|601032d569eb84f2482f46d2e97f07a881c3b3ad33017635c7354c320ed5c0e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `return MILESTONE_OWNER_RE.test(owner);` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114405, "scanner": "repobility-supply-chain", "fingerprint": "1d7038681a9b26a30b1dd2564ba59d07cb54090656d4f2294a4858d5e877d5d5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1d7038681a9b26a30b1dd2564ba59d07cb54090656d4f2294a4858d5e877d5d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `const owner = (primaryOwner ?? \"\").trim();` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114404, "scanner": "repobility-supply-chain", "fingerprint": "dec9eef7ae823915d33509df080916186b363190b8feef73d8ae3908b98c2909", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dec9eef7ae823915d33509df080916186b363190b8feef73d8ae3908b98c2909"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `export function isRequirementMappedToMilestone(primaryOwner: string | null | undefined): boolean {` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114403, "scanner": "repobility-supply-chain", "fingerprint": "6c01020c097506aec561cfb3cc7032d0d0ac0223d96930bfd7e417fc27fc78b7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c01020c097506aec561cfb3cc7032d0d0ac0223d96930bfd7e417fc27fc78b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `/** True when primary_owner points at a milestone (including provisional `M###/none yet`). */` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114402, "scanner": "repobility-supply-chain", "fingerprint": "471bd41b1c3f3d016af3fffdcb0ccde4b348a13e265ab93ff168a55456f88fd7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|471bd41b1c3f3d016af3fffdcb0ccde4b348a13e265ab93ff168a55456f88fd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `const SLICE_OWNER_RE = /^M\\d+[^/]*\\/S\\d/i;` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114401, "scanner": "repobility-supply-chain", "fingerprint": "004d4dae7b3e61d3852aea1db478eb77250bb1970d9f2a94fd927d527a664d8a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|004d4dae7b3e61d3852aea1db478eb77250bb1970d9f2a94fd927d527a664d8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `const MILESTONE_OWNER_RE = /^M\\d/i;` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114400, "scanner": "repobility-supply-chain", "fingerprint": "634d06d5cfd9c68a7a314cd58584866d1463803bf90fc1eeecd1e493ee9b736c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|634d06d5cfd9c68a7a314cd58584866d1463803bf90fc1eeecd1e493ee9b736c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `}` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114399, "scanner": "repobility-supply-chain", "fingerprint": "9f829a904c20ce6dc22090e299f0eb9ebab0422553b2ce24dc45644ff58b9bf1", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f829a904c20ce6dc22090e299f0eb9ebab0422553b2ce24dc45644ff58b9bf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `unmappedActiveRequirements: Requirement[];` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114398, "scanner": "repobility-supply-chain", "fingerprint": "c9d28cf50547f537a060728183cf6f70bf70390f80ecb418f9f5e08a7e87ab86", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c9d28cf50547f537a060728183cf6f70bf70390f80ecb418f9f5e08a7e87ab86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `mappedToSlice: number;` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114397, "scanner": "repobility-supply-chain", "fingerprint": "156ed6a3e65bd5fba33ac40c473aed8b924071fe279b2acbe47ce1ab2072cfb6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|156ed6a3e65bd5fba33ac40c473aed8b924071fe279b2acbe47ce1ab2072cfb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `unmappedActive: number;` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114396, "scanner": "repobility-supply-chain", "fingerprint": "bbdf1ff22eb325106ab3224fc0d10aa6a3a39f15e5e0aeb9c11ebb2b3f7acf57", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bbdf1ff22eb325106ab3224fc0d10aa6a3a39f15e5e0aeb9c11ebb2b3f7acf57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `active: number;` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114395, "scanner": "repobility-supply-chain", "fingerprint": "fc7fbf24fcedbca168280ed001393f0f40ff6e2bc3092fbf94641870927b9be4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc7fbf24fcedbca168280ed001393f0f40ff6e2bc3092fbf94641870927b9be4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `export interface RequirementsCoverageSummary {` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114394, "scanner": "repobility-supply-chain", "fingerprint": "c322e0acda5cf1846e677998dfb24e553dd136c7d9d05eb7f50b262cc19a84c7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c322e0acda5cf1846e677998dfb24e553dd136c7d9d05eb7f50b262cc19a84c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `import type { GSDState, Requirement } from \"./types.js\";` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114393, "scanner": "repobility-supply-chain", "fingerprint": "1e570985cf4a8e0930f6764a65d4d62fe2ff0cd4f8384cc1e7eb9599175e9cf4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e570985cf4a8e0930f6764a65d4d62fe2ff0cd4f8384cc1e7eb9599175e9cf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `import { getActiveRequirements } from \"./gsd-db.js\";` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114392, "scanner": "repobility-supply-chain", "fingerprint": "2691e1bd87416733736d61c9d4e6a8f6c8c26a5e258f5683ca30c424c800bf5b", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2691e1bd87416733736d61c9d4e6a8f6c8c26a5e258f5683ca30c424c800bf5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `import { isInteractiveCommandContext } from \"./command-feedback.js\";` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114391, "scanner": "repobility-supply-chain", "fingerprint": "33b4816ea0209db5cd9aea40afc99dfb70b4c54a11b090f61af2d67d6ecd7948", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33b4816ea0209db5cd9aea40afc99dfb70b4c54a11b090f61af2d67d6ecd7948"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `import { showNextAction } from \"../shared/tui.js\";` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114390, "scanner": "repobility-supply-chain", "fingerprint": "6445321458b3f1156c11d2d5ef7e4439da3cc80d76cd8efa0bce099c18ed1d18", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6445321458b3f1156c11d2d5ef7e4439da3cc80d76cd8efa0bce099c18ed1d18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `import { existsSync } from \"node:fs\";` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114389, "scanner": "repobility-supply-chain", "fingerprint": "24778eb63bd8f0a43ba4c387e78cd16b3edcff30f32f887efdc01b67c2fc3afb", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24778eb63bd8f0a43ba4c387e78cd16b3edcff30f32f887efdc01b67c2fc3afb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `import { join } from \"node:path\";` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114388, "scanner": "repobility-supply-chain", "fingerprint": "53d77d47b153b0d928098d736d66888be98a46fa3f3e6c78a1237d7223ce08a5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|53d77d47b153b0d928098d736d66888be98a46fa3f3e6c78a1237d7223ce08a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `// File Purpose: Shared helpers for surfacing unmapped active requirements at project completion.` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114387, "scanner": "repobility-supply-chain", "fingerprint": "4e61eca89245c3603d8dc738b050e7a7218ab5f835111dda42daa81ff5e325b5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e61eca89245c3603d8dc738b050e7a7218ab5f835111dda42daa81ff5e325b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `// Project/App: gsd-pi` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 114386, "scanner": "repobility-supply-chain", "fingerprint": "93ae912795dced74d50f66c8beb4aabae94730ba73afd743951305c045d8a1cd", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93ae912795dced74d50f66c8beb4aabae94730ba73afd743951305c045d8a1cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/requirements-backlog.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 114346, "scanner": "repobility-ast-engine", "fingerprint": "b680f4e866ba0a034214737f3e13cfb53acc66a5bd95919c968f54ee2513dea7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b680f4e866ba0a034214737f3e13cfb53acc66a5bd95919c968f54ee2513dea7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 452}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 114345, "scanner": "repobility-ast-engine", "fingerprint": "c5a09397bc0e99c4cf6f179e68ba1c7fa86250d117148ad32ce0b35f1279b824", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c5a09397bc0e99c4cf6f179e68ba1c7fa86250d117148ad32ce0b35f1279b824"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 114344, "scanner": "repobility-ast-engine", "fingerprint": "9288ff05ea7aa01235f6c26a5b8e64102652b35e4289c002f4c483a21dc61c3f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9288ff05ea7aa01235f6c26a5b8e64102652b35e4289c002f4c483a21dc61c3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 458}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 114343, "scanner": "repobility-ast-engine", "fingerprint": "5175c6ef087b89df08fdf95bd736dfe0be9725ca43ef95175fe7c570656e1fdf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5175c6ef087b89df08fdf95bd736dfe0be9725ca43ef95175fe7c570656e1fdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 352}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 114342, "scanner": "repobility-ast-engine", "fingerprint": "97c7a87d43760a3561e7d7aa4071cac67208e07f593a9c7a8b3e101ca198935b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|97c7a87d43760a3561e7d7aa4071cac67208e07f593a9c7a8b3e101ca198935b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 114341, "scanner": "repobility-ast-engine", "fingerprint": "48666f689a33a2e3bc5aae7e7a494d44c3678750d135c65c1ced227934fc2d5c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|48666f689a33a2e3bc5aae7e7a494d44c3678750d135c65c1ced227934fc2d5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 114340, "scanner": "repobility-ast-engine", "fingerprint": "eaea404f42f295e06d33298de20d4d3c2624c4e3eccc936afa4e12e95c7fdf31", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eaea404f42f295e06d33298de20d4d3c2624c4e3eccc936afa4e12e95c7fdf31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/voice/speech-recognizer.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 114337, "scanner": "repobility-journey-contract", "fingerprint": "a6efa6640f8519d7a2bf11937d1cebc35fa1f1eea9c120bc8593934641144bab", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/browse-directories{param}", "correlation_key": "fp|a6efa6640f8519d7a2bf11937d1cebc35fa1f1eea9c120bc8593934641144bab", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/onboarding/step-dev-root.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 114336, "scanner": "repobility-journey-contract", "fingerprint": "db43ac4d27930ce6cde8edeb67ed50c9b1df476445b44a3ef815c5fe6fe952c0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/terminal/upload", "correlation_key": "fp|db43ac4d27930ce6cde8edeb67ed50c9b1df476445b44a3ef815c5fe6fe952c0", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/main-session-terminal.tsx"}, "region": {"startLine": 342}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 114335, "scanner": "repobility-journey-contract", "fingerprint": "e622c8be848c0276b0eeabf25b4e043180dc960aa2320c24845b04baef1fe98e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/bridge-terminal/stream", "correlation_key": "fp|e622c8be848c0276b0eeabf25b4e043180dc960aa2320c24845b04baef1fe98e", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/main-session-terminal.tsx"}, "region": {"startLine": 195}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 114334, "scanner": "repobility-journey-contract", "fingerprint": "ee376bd0f25841e82989566513baab58929267e98acc752009648432124b2277", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/bridge-terminal/resize", "correlation_key": "fp|ee376bd0f25841e82989566513baab58929267e98acc752009648432124b2277", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/main-session-terminal.tsx"}, "region": {"startLine": 134}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 114333, "scanner": "repobility-journey-contract", "fingerprint": "45b6cc5cdc1d9cb3035b82ef99a3e9f97a46f8dd26762e01cf3671cde7f7cb54", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/bridge-terminal/input", "correlation_key": "fp|45b6cc5cdc1d9cb3035b82ef99a3e9f97a46f8dd26762e01cf3671cde7f7cb54", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/main-session-terminal.tsx"}, "region": {"startLine": 106}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 114332, "scanner": "repobility-journey-contract", "fingerprint": "9855b1b25ca12ca5a4c8fbef46a624a97f188965c7b68a31a59d4c809ef1b14c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/files", "correlation_key": "fp|9855b1b25ca12ca5a4c8fbef46a624a97f188965c7b68a31a59d4c809ef1b14c", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/files-view.tsx"}, "region": {"startLine": 1007}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 114331, "scanner": "repobility-journey-contract", "fingerprint": "951f8a1c3f030bd1fdbb70abe111cd53d16290ceeed381d09c5f1179acbabc14", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/files", "correlation_key": "fp|951f8a1c3f030bd1fdbb70abe111cd53d16290ceeed381d09c5f1179acbabc14", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/files-view.tsx"}, "region": {"startLine": 986}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 114330, "scanner": "repobility-journey-contract", "fingerprint": "56726b9f6c3d33759448f0d744f3eecfdc446cdfa674bb9cf107156c87138fdd", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/files", "correlation_key": "fp|56726b9f6c3d33759448f0d744f3eecfdc446cdfa674bb9cf107156c87138fdd", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/files-view.tsx"}, "region": {"startLine": 868}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 114329, "scanner": "repobility-journey-contract", "fingerprint": "719e626aea86fad9f467f7bdba1e8e65e3b24fdf248bf219ade32965e25148fd", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/files", "correlation_key": "fp|719e626aea86fad9f467f7bdba1e8e65e3b24fdf248bf219ade32965e25148fd", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/files-view.tsx"}, "region": {"startLine": 828}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 114328, "scanner": "repobility-journey-contract", "fingerprint": "6eb76acff734081b59035f8735aa3a55b53f5ab96dc719754f967b8d8a209d88", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/files", "correlation_key": "fp|6eb76acff734081b59035f8735aa3a55b53f5ab96dc719754f967b8d8a209d88", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/files-view.tsx"}, "region": {"startLine": 739}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 114327, "scanner": "repobility-journey-contract", "fingerprint": "14136444a95f08fb89a67cfdf241ce0fd910df069c0722a3fa5873ae4e16bbf3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/files", "correlation_key": "fp|14136444a95f08fb89a67cfdf241ce0fd910df069c0722a3fa5873ae4e16bbf3", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/files-view.tsx"}, "region": {"startLine": 563}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 114326, "scanner": "repobility-journey-contract", "fingerprint": "e28e64d3678eabef93911645947f34a78a05c622703895b8741927882cd89c26", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/visualizer", "correlation_key": "fp|e28e64d3678eabef93911645947f34a78a05c622703895b8741927882cd89c26", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/dashboard.tsx"}, "region": {"startLine": 137}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 114325, "scanner": "repobility-journey-contract", "fingerprint": "8ed6391d786ae5c4f75aeaaa3ac3f7247f0d105e9bd337afc2699f9780487089", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/shutdown", "correlation_key": "fp|8ed6391d786ae5c4f75aeaaa3ac3f7247f0d105e9bd337afc2699f9780487089", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/app-shell.tsx"}, "region": {"startLine": 650}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 114324, "scanner": "repobility-journey-contract", "fingerprint": "04bf2394405baadda8c45aaec8aa705372ecea3956625b4f808f7158ef7deaf0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/preferences", "correlation_key": "fp|04bf2394405baadda8c45aaec8aa705372ecea3956625b4f808f7158ef7deaf0", "backend_endpoint_count": 62}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/app-shell.tsx"}, "region": {"startLine": 620}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 114323, "scanner": "repobility-journey-contract", "fingerprint": "efa42941a3020b7397c5637d4ff8bb07e464907f58ba03307856d3365470d73f", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|web/lib/auth.ts|47|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/lib/auth.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /update/route."}, "properties": {"repobilityId": 114322, "scanner": "repobility-access-control", "fingerprint": "6e18cdc720ecc1d46465a6d1fb7c92ab1c52d446c1f51c72574905bc0d2fe8d6", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/update/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|web/app/api/update/route.ts|11|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/update/route.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /live-state/route."}, "properties": {"repobilityId": 114321, "scanner": "repobility-access-control", "fingerprint": "3c4558c692656a821e11f59d9a2ff6e3283932ccddc9236c38179abbb0d2c87e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/live-state/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|24|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/live-state/route.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /cleanup/route."}, "properties": {"repobilityId": 114320, "scanner": "repobility-access-control", "fingerprint": "7e7124deca03bd44641e29d38ba88a220ebbea028d76d8503107e187d5adbbbb", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/cleanup/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|30|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/cleanup/route.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /mcp-connections/route."}, "properties": {"repobilityId": 114319, "scanner": "repobility-access-control", "fingerprint": "1909b294921804fe5fb30390d007ce43cdc46c23c17e91fdfa461c76f1549019", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/mcp-connections/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|33|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/mcp-connections/route.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /mcp-connections/route."}, "properties": {"repobilityId": 114318, "scanner": "repobility-access-control", "fingerprint": "9f5e25724c065328976a8fa6f13c16ace78d2282ecdfd7addde05c8b76b7c2aa", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/mcp-connections/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|14|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/mcp-connections/route.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /preferences/route."}, "properties": {"repobilityId": 114317, "scanner": "repobility-access-control", "fingerprint": "a909812363392e3fbfc2bb89b76dfab5f8fa0332c344346ee1f12d122eaa69e4", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/preferences/route", "method": "PUT", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|47|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/preferences/route.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /preferences/route."}, "properties": {"repobilityId": 114316, "scanner": "repobility-access-control", "fingerprint": "04293089aaca1dc36689853a3f25862a4e1d7425e56371cfa8c7df9766046cd2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/preferences/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|27|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/preferences/route.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /visualizer/route."}, "properties": {"repobilityId": 114315, "scanner": "repobility-access-control", "fingerprint": "6ec392c2f635cc45134db9207948c5acc3f3cf8f93a774376aa8dd0c9bae4c6f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/visualizer/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|7|auc009", "duplicate_count": 2, "identity_targets": ["unknown"], "duplicate_rule_ids": ["AUC009"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["6669af642ea2a0496d3e3859eb117715cb45f930464e8f1299bb7941124d8c9f", "6ec392c2f635cc45134db9207948c5acc3f3cf8f93a774376aa8dd0c9bae4c6f", "a795727a94420f8879576df65db7409dd801a46838aa5ae569dd9c9ab24d40c6"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/visualizer/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /session/manage/route."}, "properties": {"repobilityId": 114314, "scanner": "repobility-access-control", "fingerprint": "7f94ce29c18b4c34126ace52193b52c5698d934f9284d2ee49a634f432b5b437", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/session/manage/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|50|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/session/manage/route.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /terminal/resize/route."}, "properties": {"repobilityId": 114313, "scanner": "repobility-access-control", "fingerprint": "6b1573f57a7ccdefa946494e5051d0a0d0a9721a6f489cbc782da0ab89a4af7f", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/terminal/resize/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|13|auc004", "duplicate_count": 1, "identity_targets": ["authenticated", "admin"], "duplicate_rule_ids": ["AUC004"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["5ca96a6556a7f498475c2f64b066a4def25d73134cfd829ea4f7da3a96fb78eb", "6b1573f57a7ccdefa946494e5051d0a0d0a9721a6f489cbc782da0ab89a4af7f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/terminal/resize/route.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings-data/route."}, "properties": {"repobilityId": 114312, "scanner": "repobility-access-control", "fingerprint": "c2d1657e7f164f45ac5559eb1e2eef63e6650cf5327771fb608bb49da9301c34", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings-data/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|7|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/settings-data/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 14.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 114311, "scanner": "repobility-access-control", "fingerprint": "9881722652e1d068ff5485a6a0d618275a227181f7279ad2d42371e839f498ab", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 62, "correlation_key": "fp|9881722652e1d068ff5485a6a0d618275a227181f7279ad2d42371e839f498ab", "auth_visible_percent": 14.5}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 114310, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 114307, "scanner": "repobility-docker", "fingerprint": "4ec8977eddc1dfd7781c6b39a8b6456b7338d5b7f6333731329c77665abf4cce", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24-bookworm-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4ec8977eddc1dfd7781c6b39a8b6456b7338d5b7f6333731329c77665abf4cce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.sandbox"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 114306, "scanner": "repobility-docker", "fingerprint": "d0f0881a624a71c76f9e77e4c377542768a2d8434dc51c1d6f13a1c7ee466d16", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d0f0881a624a71c76f9e77e4c377542768a2d8434dc51c1d6f13a1c7ee466d16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.ci-builder"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 114303, "scanner": "repobility-docker", "fingerprint": "a156242dd27dabfd41467a6d04d8d65419bd4cccb8016c111253565bc443c638", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a156242dd27dabfd41467a6d04d8d65419bd4cccb8016c111253565bc443c638"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 54}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 114301, "scanner": "repobility-agent-runtime", "fingerprint": "4a80c3a9add4fa096fd2c5be91ff0f9ad3eaa9539c1f60a3bc09acca013b65fa", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|4a80c3a9add4fa096fd2c5be91ff0f9ad3eaa9539c1f60a3bc09acca013b65fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/export-html/template.js"}, "region": {"startLine": 1693}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 114300, "scanner": "repobility-agent-runtime", "fingerprint": "47e16ce2e33cc15588890643be98d7ba9f4408fa34c8862130ed2b52e7d43a54", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|47e16ce2e33cc15588890643be98d7ba9f4408fa34c8862130ed2b52e7d43a54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/zh-CN/user-docs/getting-started.md"}, "region": {"startLine": 205}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 114269, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f3374244d1c42f0a8dfcc57c3abe8ed0fdd1e4d29bff8b8aeb15872951c21881", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|f3374244d1c42f0a8dfcc57c3abe8ed0fdd1e4d29bff8b8aeb15872951c21881"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/utils/windows-self-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 114255, "scanner": "repobility-threat-engine", "fingerprint": "0f80e3fdb41156891fe774af40687e672590116306971e8a312615cdcfb5c731", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "verify = false", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|90|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update-gsd-browser-local.mjs"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 114250, "scanner": "repobility-threat-engine", "fingerprint": "bfa16812a196f8aa61352d1aa4f2f0d212ae51dabd5e54dbfd2670795510c260", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * chars.length));\n\t}\n\treturn nonce", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bfa16812a196f8aa61352d1aa4f2f0d212ae51dabd5e54dbfd2670795510c260"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vscode-extension/src/conversation-history.ts"}, "region": {"startLine": 425}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 114249, "scanner": "repobility-threat-engine", "fingerprint": "98b489ea82aff27562f205b10bfdbe7a187a4d1a04a6db6df02dbd63f8cf42ce", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(2, 10)}`,\n\t);\n\tmkdirSync(extractDir, { recursiv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|98b489ea82aff27562f205b10bfdbe7a187a4d1a04a6db6df02dbd63f8cf42ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/utils/tools-manager.ts"}, "region": {"startLine": 275}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 114241, "scanner": "repobility-threat-engine", "fingerprint": "df95283ae850e0b5f1ecb45780cbfc634265d4005abf8e6f7ad854ebbc1ab217", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|df95283ae850e0b5f1ecb45780cbfc634265d4005abf8e6f7ad854ebbc1ab217"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vscode-extension/src/chat-participant.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 114240, "scanner": "repobility-threat-engine", "fingerprint": "9a86e542df396860975b1648d48096e8c05b68967da22c8aff0ffa5d3718d552", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9a86e542df396860975b1648d48096e8c05b68967da22c8aff0ffa5d3718d552"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/notifications.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 114239, "scanner": "repobility-threat-engine", "fingerprint": "b16135bf2eeda218456c72102f877df752ecf9f5f2c5792d927c6f3956f7d339", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b16135bf2eeda218456c72102f877df752ecf9f5f2c5792d927c6f3956f7d339"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-agent-core/src/proxy.ts"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 114220, "scanner": "repobility-threat-engine", "fingerprint": "730c026d9fdf034a4a89e4ece7ef931d4e23816737ff50cd45f664b0718d39f7", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|105|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-modes/src/modes/interactive/interactive-notify-render.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 114219, "scanner": "repobility-threat-engine", "fingerprint": "b2fef30b788ef4682507cff0ee614a56ff2ffba86816aa64fc66c8f30cb70b18", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|207|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/export-html/ansi-to-html.ts"}, "region": {"startLine": 207}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 114218, "scanner": "repobility-threat-engine", "fingerprint": "9c9ee8976b3de99bc1411ccf00c0d6ffa4f91c9bd2db53b28583b6fe8c837a9f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|108|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/bash-executor.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 114309, "scanner": "repobility-docker", "fingerprint": "811effad619f082c7dbaf89ce19da72ae754b998589a599f5ba747f5558bda72", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "gsd", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|811effad619f082c7dbaf89ce19da72ae754b998589a599f5ba747f5558bda72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 114308, "scanner": "repobility-docker", "fingerprint": "909539467a9104c1aa907302e03d93cb733ccd16ff6338b2d0666346f543c959", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "gsd", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|909539467a9104c1aa907302e03d93cb733ccd16ff6338b2d0666346f543c959"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 114304, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114299, "scanner": "repobility-ai-code-hygiene", "fingerprint": "14326c1f905eff2362cf04214c3e001518363726a35a489d4dfa26a964e6b993", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-agent-core/src/proxy.ts", "duplicate_line": 84, "correlation_key": "fp|14326c1f905eff2362cf04214c3e001518363726a35a489d4dfa26a964e6b993"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/register-builtins.ts"}, "region": {"startLine": 138}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114298, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c179555931085bb1c42d57a46a0da4270bfdeeed6818ad288afcc128d2075e86", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/fake.ts", "duplicate_line": 172, "correlation_key": "fp|c179555931085bb1c42d57a46a0da4270bfdeeed6818ad288afcc128d2075e86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/register-builtins.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114297, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2eca6a36037ad6cb70046ca12fca394a24371fa3a771542e9480e6890969930c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/mistral.ts", "duplicate_line": 115, "correlation_key": "fp|2eca6a36037ad6cb70046ca12fca394a24371fa3a771542e9480e6890969930c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/register-builtins.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114296, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d49d447404ab8bc2c5529ee5da208a79d63cda9bc84a93f14d15d84ef2e1e501", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/azure-openai-responses.ts", "duplicate_line": 77, "correlation_key": "fp|d49d447404ab8bc2c5529ee5da208a79d63cda9bc84a93f14d15d84ef2e1e501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/openai-responses.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114295, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b2a5aab7f537f3d5723f452c50338659bea13b291786ca35bf9012da9e2988b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/amazon-bedrock.ts", "duplicate_line": 73, "correlation_key": "fp|b2a5aab7f537f3d5723f452c50338659bea13b291786ca35bf9012da9e2988b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/openai-responses.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114294, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1cbff4404007068ef1ecf531ee7913a814d3b36108052ab6ce59e3684553c531", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/anthropic-vertex.ts", "duplicate_line": 52, "correlation_key": "fp|1cbff4404007068ef1ecf531ee7913a814d3b36108052ab6ce59e3684553c531"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/openai-responses.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114293, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27033854653c5375f2abc96c302214b8a5749d7df3196a8bd1a10696373b85eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/amazon-bedrock.ts", "duplicate_line": 73, "correlation_key": "fp|27033854653c5375f2abc96c302214b8a5749d7df3196a8bd1a10696373b85eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/mistral.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114292, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b81c0dd0c473cdfaa4407b930f9f4a21c59f880974069b0f67f44a39a74a9bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-agent-core/src/proxy.ts", "duplicate_line": 84, "correlation_key": "fp|6b81c0dd0c473cdfaa4407b930f9f4a21c59f880974069b0f67f44a39a74a9bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/mistral.ts"}, "region": {"startLine": 117}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114291, "scanner": "repobility-ai-code-hygiene", "fingerprint": "250cef5f886b0873fcf53cede87dbc095ef898b30040524fcea37fefd70c330b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/fake.ts", "duplicate_line": 172, "correlation_key": "fp|250cef5f886b0873fcf53cede87dbc095ef898b30040524fcea37fefd70c330b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/mistral.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114290, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8dafaeda7d82f851e2c713dbe7c6d307ae2028e60ee2d2f3965dde647eb4069a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/azure-openai-responses.ts", "duplicate_line": 77, "correlation_key": "fp|8dafaeda7d82f851e2c713dbe7c6d307ae2028e60ee2d2f3965dde647eb4069a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114289, "scanner": "repobility-ai-code-hygiene", "fingerprint": "803c0e6fc6712856e8f4e0c98d3cb1100352f5ae6db356f0e65a33b73c9654dc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/amazon-bedrock.ts", "duplicate_line": 73, "correlation_key": "fp|803c0e6fc6712856e8f4e0c98d3cb1100352f5ae6db356f0e65a33b73c9654dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114288, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a7b06af35a16389b82543e6e49e90a5f0f950fb16b3d6c1e2e75dac3129a1762", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/google-vertex.ts", "duplicate_line": 23, "correlation_key": "fp|a7b06af35a16389b82543e6e49e90a5f0f950fb16b3d6c1e2e75dac3129a1762"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114287, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a741d632cc9d8c4b0e60c2aa2f324f0dd32d98c4e2280b0de5481eb41c6a448b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/azure-openai-responses.ts", "duplicate_line": 77, "correlation_key": "fp|a741d632cc9d8c4b0e60c2aa2f324f0dd32d98c4e2280b0de5481eb41c6a448b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google-vertex.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114286, "scanner": "repobility-ai-code-hygiene", "fingerprint": "33067f9a12824c38a1683846f7fcc6e87fe2db2f0003b3b36773e1fd9a58000c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/amazon-bedrock.ts", "duplicate_line": 73, "correlation_key": "fp|33067f9a12824c38a1683846f7fcc6e87fe2db2f0003b3b36773e1fd9a58000c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/google-vertex.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114285, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dab0039c678bbce2903edd9bb6a33f545e8d5a165901ac361c0575d72e8ce961", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-agent-core/src/proxy.ts", "duplicate_line": 84, "correlation_key": "fp|dab0039c678bbce2903edd9bb6a33f545e8d5a165901ac361c0575d72e8ce961"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/fake.ts"}, "region": {"startLine": 173}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114284, "scanner": "repobility-ai-code-hygiene", "fingerprint": "68dc48bebba1849a16827cb12259619805128f311894c269c000d25ffe524d11", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/amazon-bedrock.ts", "duplicate_line": 73, "correlation_key": "fp|68dc48bebba1849a16827cb12259619805128f311894c269c000d25ffe524d11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/azure-openai-responses.ts"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114283, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a624425cd9e0df293b99bd79d206555556f28a381e01728bf9c7d5cc2fe5fa3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-ai/src/providers/amazon-bedrock.ts", "duplicate_line": 403, "correlation_key": "fp|0a624425cd9e0df293b99bd79d206555556f28a381e01728bf9c7d5cc2fe5fa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/anthropic-vertex.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114282, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d7e73bf50b96eb78be018b242dae3c4ca980e15b4e5539893cd838f8c23da074", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-agent-core/src/harness/prompt-templates.ts", "duplicate_line": 170, "correlation_key": "fp|d7e73bf50b96eb78be018b242dae3c4ca980e15b4e5539893cd838f8c23da074"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-agent-core/src/harness/skills.ts"}, "region": {"startLine": 251}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114281, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f265cebf96a79b529019a02a801ad8154041fb37cc3a9f628a2b281ceb518746", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pi-agent-core/src/harness/session/jsonl-storage.ts", "duplicate_line": 14, "correlation_key": "fp|f265cebf96a79b529019a02a801ad8154041fb37cc3a9f628a2b281ceb518746"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-agent-core/src/harness/session/memory-storage.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114280, "scanner": "repobility-ai-code-hygiene", "fingerprint": "01d3399399452f1cf5c843700eeb6a0a852d6fba5767996c070f2c65bd03d61a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/gsd-agent-core/src/compaction/utils.ts", "duplicate_line": 4, "correlation_key": "fp|01d3399399452f1cf5c843700eeb6a0a852d6fba5767996c070f2c65bd03d61a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-agent-core/src/harness/compaction/utils.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114279, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d00a7f224b15a2e245b7534e141227572ca5b1315992f8a3f86f4e9534cb0655", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/gsd-agent-core/src/compaction/compaction.ts", "duplicate_line": 28, "correlation_key": "fp|d00a7f224b15a2e245b7534e141227572ca5b1315992f8a3f86f4e9534cb0655"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-agent-core/src/harness/compaction/compaction.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114278, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0e587122e8e9617b03717c7598ffb052e87997968d7705b905ee0301212ed9f6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/gsd-agent-core/src/compaction/branch-summarization.ts", "duplicate_line": 80, "correlation_key": "fp|0e587122e8e9617b03717c7598ffb052e87997968d7705b905ee0301212ed9f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-agent-core/src/harness/compaction/branch-summarization.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114277, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b2712b9c61d73b947468dfac2817b7397b4fb7e0242f12e8e7f544efa94b01f1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/daemon/src/types.ts", "duplicate_line": 44, "correlation_key": "fp|b2712b9c61d73b947468dfac2817b7397b4fb7e0242f12e8e7f544efa94b01f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/types.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114276, "scanner": "repobility-ai-code-hygiene", "fingerprint": "314073c70fed52083ffcaa8405f60111c8598c9617b52315e936c4433c9f1a78", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/daemon/src/session-manager.ts", "duplicate_line": 23, "correlation_key": "fp|314073c70fed52083ffcaa8405f60111c8598c9617b52315e936c4433c9f1a78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/mcp-server/src/session-manager.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114275, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3869a6b70c53b35b0e2ae414217a364bfaf380e63e072eec16f4f5c0d01a3d06", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/gsd-agent-modes/src/modes/interactive/components/compaction-summary-message.ts", "duplicate_line": 38, "correlation_key": "fp|3869a6b70c53b35b0e2ae414217a364bfaf380e63e072eec16f4f5c0d01a3d06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-modes/src/modes/interactive/components/skill-invocation-message.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114274, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f84e03f420ea4b8b69d914d60d48e4692bf64321ad1d125785832a4b474b6cbf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/gsd-agent-modes/src/cli/list-models.ts", "duplicate_line": 7, "correlation_key": "fp|f84e03f420ea4b8b69d914d60d48e4692bf64321ad1d125785832a4b474b6cbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-modes/src/modes/interactive/components/model-selector.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114273, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8798a900734b540c2b45b1b076cda2625defc0c2ac6896e0c7dd5bcbe4214207", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/gsd-agent-modes/src/modes/interactive/components/extension-input.ts", "duplicate_line": 35, "correlation_key": "fp|8798a900734b540c2b45b1b076cda2625defc0c2ac6896e0c7dd5bcbe4214207"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-modes/src/modes/interactive/components/extension-selector.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114272, "scanner": "repobility-ai-code-hygiene", "fingerprint": "748fb6fca6a4d61b9bfc7fde8c8be8088a8d40a3877ff5841ad6bd540b37eff8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/contracts/src/rpc.ts", "duplicate_line": 62, "correlation_key": "fp|748fb6fca6a4d61b9bfc7fde8c8be8088a8d40a3877ff5841ad6bd540b37eff8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/session/agent-session-types.ts"}, "region": {"startLine": 141}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114271, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5610ea18d18760bd13e254d38f6128a1de1e2b6c7e84cad514def620af6a5bab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/gsd-agent-core/src/agent-session.ts", "duplicate_line": 102, "correlation_key": "fp|5610ea18d18760bd13e254d38f6128a1de1e2b6c7e84cad514def620af6a5bab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/session/agent-session-host.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114270, "scanner": "repobility-ai-code-hygiene", "fingerprint": "766416315cbc6e2f4283ab00d9657046e4e6e9f784483dd28e2082bb4fec1468", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "native/crates/ast/src/glob_util.rs", "duplicate_line": 1, "correlation_key": "fp|766416315cbc6e2f4283ab00d9657046e4e6e9f784483dd28e2082bb4fec1468"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/crates/engine/src/glob_util.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 114268, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e47ed643fa87d97a13a7625026cccbd98e27ce24bc3dedabf6c10699cdbfc5ec", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "backup", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|e47ed643fa87d97a13a7625026cccbd98e27ce24bc3dedabf6c10699cdbfc5ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/db-migration-backup.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 114267, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f72c26a9282ce88c0a0a32a0ed654e9b46a8ca3b17ed07ecb64b9beb2425d425", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|f72c26a9282ce88c0a0a32a0ed654e9b46a8ca3b17ed07ecb64b9beb2425d425"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/utils/windows-self-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `_close_issues` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=2, if=2, nested_bonus=4."}, "properties": {"repobilityId": 114261, "scanner": "repobility-threat-engine", "fingerprint": "f27d07157d82ae7d6fa9c1c6b2024309a5fe7c7c302106b8252e583a1082b0d4", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_close_issues", "breakdown": {"if": 2, "for": 2, "continue": 1, "nested_bonus": 4}, "complexity": 9, "correlation_key": "fp|f27d07157d82ae7d6fa9c1c6b2024309a5fe7c7c302106b8252e583a1082b0d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/scripts/experiment_cleanup.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `list_resources` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=4, if=2, nested_bonus=4, ternary=1."}, "properties": {"repobilityId": 114260, "scanner": "repobility-threat-engine", "fingerprint": "c4a2e646bd331bc9e1ca539e893e13bb7f5b0cf7a04f3fe4f76c13c96f854d8a", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "list_resources", "breakdown": {"if": 2, "for": 4, "ternary": 1, "continue": 1, "nested_bonus": 4}, "complexity": 12, "correlation_key": "fp|c4a2e646bd331bc9e1ca539e893e13bb7f5b0cf7a04f3fe4f76c13c96f854d8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/scripts/experiment_cleanup.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 114266, "scanner": "repobility-threat-engine", "fingerprint": "88839d9f0adcb2a4e3943d9d358842eca000841c4628d02acb65dc38c5f6b367", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88839d9f0adcb2a4e3943d9d358842eca000841c4628d02acb65dc38c5f6b367"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/ui/chart.tsx"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 114265, "scanner": "repobility-threat-engine", "fingerprint": "5fe2cf04427df05fc0aef7cf138aa979c1fc3f2cedae48cbd068d6e07c3f09f1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5fe2cf04427df05fc0aef7cf138aa979c1fc3f2cedae48cbd068d6e07c3f09f1", "aggregated_count": 2}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 114264, "scanner": "repobility-threat-engine", "fingerprint": "b6d80bb2a64b217561a710842192b86bd3032a660fede2bbef7935b98c6d842c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b6d80bb2a64b217561a710842192b86bd3032a660fede2bbef7935b98c6d842c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/project-welcome.tsx"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 114263, "scanner": "repobility-threat-engine", "fingerprint": "6fa505459b24554893653e915695a26554455c96c64e1b13974ddce56b759ea5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6fa505459b24554893653e915695a26554455c96c64e1b13974ddce56b759ea5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/onboarding-gate.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 114262, "scanner": "repobility-threat-engine", "fingerprint": "9625f3fb38f7dbb0a54ec53ae6a8da6a9de4790f4fc6ab475ba448ba392bbfae", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9625f3fb38f7dbb0a54ec53ae6a8da6a9de4790f4fc6ab475ba448ba392bbfae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/loading-skeletons.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 114259, "scanner": "repobility-threat-engine", "fingerprint": "2e03d00c873bcf0c2b3bbf56765c22bc743be69c99e9f6461e21d37e7fb04b6d", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "PASSWORD='<redacted>'", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|6|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/agent-browser/templates/authenticated-session.sh"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 114254, "scanner": "repobility-threat-engine", "fingerprint": "ef6648174e9bc7ec97b48136d8afbf8d25a754af5076f228ffb9eb95ae3229cd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ef6648174e9bc7ec97b48136d8afbf8d25a754af5076f228ffb9eb95ae3229cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/tui-open-surface-demo.mjs"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 114243, "scanner": "repobility-threat-engine", "fingerprint": "766a3f806b6272ae621d2c2637e9d48a5e9c1a4483d5b62812b4ebd02a6dac8c", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|202|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/examples/extensions/custom-provider-gitlab-duo/index.ts"}, "region": {"startLine": 202}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 114242, "scanner": "repobility-threat-engine", "fingerprint": "e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921"}}}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 114236, "scanner": "repobility-threat-engine", "fingerprint": "9f5b2a516bc52c0d8a94afd29d523bd05f3bd6054367044673e93db015d82ba3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9f5b2a516bc52c0d8a94afd29d523bd05f3bd6054367044673e93db015d82ba3"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 114230, "scanner": "repobility-threat-engine", "fingerprint": "2813c1e44a10ea5308a9b2a28c41c15a7b2343ee883e54a3536123f14fb26db0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2813c1e44a10ea5308a9b2a28c41c15a7b2343ee883e54a3536123f14fb26db0", "aggregated_count": 24}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 114229, "scanner": "repobility-threat-engine", "fingerprint": "64e1a6be8c8660cec5b3bafa089e5570b018fbb7e98a099143b9e235ddfc3a05", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64e1a6be8c8660cec5b3bafa089e5570b018fbb7e98a099143b9e235ddfc3a05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-agent-core/src/proxy.ts"}, "region": {"startLine": 323}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 114228, "scanner": "repobility-threat-engine", "fingerprint": "92df9c3641b2ee5b8617b8ee6a9e4f13a647f5548bb43187622a16a9403dd7ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92df9c3641b2ee5b8617b8ee6a9e4f13a647f5548bb43187622a16a9403dd7ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-modes/src/modes/interactive/interactive-extension-tools.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 114227, "scanner": "repobility-threat-engine", "fingerprint": "75e133c66e90d491db4a8b7362018bfa6d42c28d18365f979e315fce94c9b987", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|75e133c66e90d491db4a8b7362018bfa6d42c28d18365f979e315fce94c9b987"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/image-overflow-recovery.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "properties": {"repobilityId": 114225, "scanner": "repobility-threat-engine", "fingerprint": "47f9601753ae22f0b9e47825e77ec6e2b5ec3b638fcf77e910682202190746e7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|47f9601753ae22f0b9e47825e77ec6e2b5ec3b638fcf77e910682202190746e7", "aggregated_count": 35}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 114224, "scanner": "repobility-threat-engine", "fingerprint": "6b904363a7d5cc3b189bf4bf8566c368657bf117674dad332349589075e40469", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6b904363a7d5cc3b189bf4bf8566c368657bf117674dad332349589075e40469"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-modes/src/modes/interactive/controllers/extension-ui-controller.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 114223, "scanner": "repobility-threat-engine", "fingerprint": "2cdf4478131971ad9f32453d396154850c45f50491697a8ae4d72882aa3cdc3e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2cdf4478131971ad9f32453d396154850c45f50491697a8ae4d72882aa3cdc3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/export-html/tool-renderer.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 114222, "scanner": "repobility-threat-engine", "fingerprint": "a5cb715f01851b57f12e19c4b932b7f1e074b3fa8979ced84d57d6ddab7d3692", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a5cb715f01851b57f12e19c4b932b7f1e074b3fa8979ced84d57d6ddab7d3692"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/blob-store.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "properties": {"repobilityId": 114221, "scanner": "repobility-threat-engine", "fingerprint": "ef47e704f23e65c9d318e124d575cc2012ca3303ba35b49a50e1e1296ce5e578", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ef47e704f23e65c9d318e124d575cc2012ca3303ba35b49a50e1e1296ce5e578"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 49 more): Same pattern found in 49 additional files. Review if needed."}, "properties": {"repobilityId": 114217, "scanner": "repobility-threat-engine", "fingerprint": "0c5ab2a69cf4c086f3a493e1ce2900793157a5a1578d82f38ef7fbc2d4b4b9e4", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 49 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 49 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0c5ab2a69cf4c086f3a493e1ce2900793157a5a1578d82f38ef7fbc2d4b4b9e4"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 114213, "scanner": "repobility-threat-engine", "fingerprint": "78f2a7e45dfb820c8319b1f3433835faf9d50b6a00d447eabb370181e7f8ad92", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|78f2a7e45dfb820c8319b1f3433835faf9d50b6a00d447eabb370181e7f8ad92"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 114209, "scanner": "repobility-threat-engine", "fingerprint": "3dbb6c6c9e907c22b879f4da586acd6b6652631432d047722f1146491202231f", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(chalk.yellow(`${config.name} not found. Offline mode enabled, skipping download.`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|33|console.log chalk.yellow config.name not found. offline mode enabled skipping download."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/utils/tools-manager.ts"}, "region": {"startLine": 337}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 114208, "scanner": "repobility-threat-engine", "fingerprint": "d82378f7292492503ecae98aea79d0a233d570cb9b1e671e7759aa9690988394", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "logger.warn(\"cloud runtime skipped \u2014 missing device token or runtime id\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|logger.warn cloud runtime skipped missing device token or runtime id"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/daemon/src/cloud-runtime.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 53 more): Same pattern found in 53 additional files. Review if needed."}, "properties": {"repobilityId": 114207, "scanner": "repobility-threat-engine", "fingerprint": "9184f7359f7fc8e20dc70718f032cd204fbc50896ebb3f794819103c931e64bd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 53 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9184f7359f7fc8e20dc70718f032cd204fbc50896ebb3f794819103c931e64bd", "aggregated_count": 53}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 114206, "scanner": "repobility-threat-engine", "fingerprint": "bf620519043eae57e6251263ad1c9dbd4139befe3f7e96e0f62bb51f803da11a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bf620519043eae57e6251263ad1c9dbd4139befe3f7e96e0f62bb51f803da11a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-modes/src/modes/interactive/components/animated-component.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 114205, "scanner": "repobility-threat-engine", "fingerprint": "e13fdc8bf37c62369b0f681fe9001a9d700934fe78d5d8e1540a682dc001204e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e13fdc8bf37c62369b0f681fe9001a9d700934fe78d5d8e1540a682dc001204e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/compaction/utils.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 114204, "scanner": "repobility-threat-engine", "fingerprint": "2ab701c002d8328e0cd63e2b90843f84b7a1b99e5d075cd3b66ea02b051666ec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ab701c002d8328e0cd63e2b90843f84b7a1b99e5d075cd3b66ea02b051666ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/daemon/src/channel-manager.ts"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 114203, "scanner": "repobility-threat-engine", "fingerprint": "62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "aggregated_count": 2}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 114202, "scanner": "repobility-threat-engine", "fingerprint": "f16f545a797aeed41d7cc7ed4540d24cf2b09a72dc5019e7e71a66e5dff4c3a5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f16f545a797aeed41d7cc7ed4540d24cf2b09a72dc5019e7e71a66e5dff4c3a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/utils/git.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 114201, "scanner": "repobility-threat-engine", "fingerprint": "f16188e669068929b098595565e661c46db51afbfccce9b472a3e93a38cc9ebb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f16188e669068929b098595565e661c46db51afbfccce9b472a3e93a38cc9ebb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/daemon/src/launchd.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 114200, "scanner": "repobility-threat-engine", "fingerprint": "c2b45c8de30b7efec556217b4c4c4a8c783b28e1d3bcf518edc21f922c55502b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2b45c8de30b7efec556217b4c4c4a8c783b28e1d3bcf518edc21f922c55502b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cloud-mcp-gateway/src/server.ts"}, "region": {"startLine": 117}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "properties": {"repobilityId": 114199, "scanner": "repobility-threat-engine", "fingerprint": "0a2f447ae192a44b5350f96541432174b6d8c9cc16a3162beb2a14aa44f7a8dc", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 52 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 52 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0a2f447ae192a44b5350f96541432174b6d8c9cc16a3162beb2a14aa44f7a8dc"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 45 more): Same pattern found in 45 additional files. Review if needed."}, "properties": {"repobilityId": 114195, "scanner": "repobility-threat-engine", "fingerprint": "471ffa7174a62d8dcbef143a79ba7fa07735ce567436d6eda29ce943de962131", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 45 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 45 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|471ffa7174a62d8dcbef143a79ba7fa07735ce567436d6eda29ce943de962131"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 62 more): Same pattern found in 62 additional files. Review if needed."}, "properties": {"repobilityId": 114191, "scanner": "repobility-threat-engine", "fingerprint": "a30ea3834947d7fc691d6a8bc573c67bea100ae1670936155c8084c5dcbf2aea", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 62 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a30ea3834947d7fc691d6a8bc573c67bea100ae1670936155c8084c5dcbf2aea", "aggregated_count": 62}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 114190, "scanner": "repobility-threat-engine", "fingerprint": "af291291f4ae468fa4694b7f7999e2fc6fa1480e798603ef83995249e3c3d990", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af291291f4ae468fa4694b7f7999e2fc6fa1480e798603ef83995249e3c3d990"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/system-prompt.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 114189, "scanner": "repobility-threat-engine", "fingerprint": "9772472e4738d639c63895521b218e9d23882ea27a7200c1e2d2c3da6bdef81a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9772472e4738d639c63895521b218e9d23882ea27a7200c1e2d2c3da6bdef81a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/scripts/sync-platform-versions.cjs"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 114188, "scanner": "repobility-threat-engine", "fingerprint": "c3948889004f6b792a4f8000b2fb317479c7f406e443910ecc51663b5bbd4ec1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c3948889004f6b792a4f8000b2fb317479c7f406e443910ecc51663b5bbd4ec1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/scripts/build.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 114187, "scanner": "repobility-threat-engine", "fingerprint": "8f9c03da27b674ce6b8cddee4fa5afae1a58a4d5f70b84e22facc5c5624cd928", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8f9c03da27b674ce6b8cddee4fa5afae1a58a4d5f70b84e22facc5c5624cd928"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/crates/engine/src/ps.rs"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 114186, "scanner": "repobility-threat-engine", "fingerprint": "8b2b7f1e75205ac34231b473c399662777d534515b51861480472a2bf633ef16", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8b2b7f1e75205ac34231b473c399662777d534515b51861480472a2bf633ef16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/crates/engine/src/truncate.rs"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 114185, "scanner": "repobility-threat-engine", "fingerprint": "8aa12113e52a32924a402c191e6c713a4a6749ec16c7c76d66eea7b9025ef40f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8aa12113e52a32924a402c191e6c713a4a6749ec16c7c76d66eea7b9025ef40f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "native/crates/engine/src/fd.rs"}, "region": {"startLine": 374}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/open-gsd/gsd-ci-builder:latest` unpinned: `container/services image: ghcr.io/open-gsd/gsd-ci-builder:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 114385, "scanner": "repobility-supply-chain", "fingerprint": "95e13c69f2337856996b5c31325b1e4246366acf2ce9c30c3eed8bc61e8ff944", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|95e13c69f2337856996b5c31325b1e4246366acf2ce9c30c3eed8bc61e8ff944"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114384, "scanner": "repobility-supply-chain", "fingerprint": "8a359cafe432374fcabaf71ff744a1c15d02a4f3ca7a6d35a1adee883b1e14ea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a359cafe432374fcabaf71ff744a1c15d02a4f3ca7a6d35a1adee883b1e14ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 381}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114383, "scanner": "repobility-supply-chain", "fingerprint": "f17935a4c70d3bee7c7dbfb788405a34f60631f484ee9e989cad732b2249035d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f17935a4c70d3bee7c7dbfb788405a34f60631f484ee9e989cad732b2249035d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 361}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114382, "scanner": "repobility-supply-chain", "fingerprint": "dfcca4bcedf483233e19a8f974384af715f7c09fc733d7e678ca16ef24a99525", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dfcca4bcedf483233e19a8f974384af715f7c09fc733d7e678ca16ef24a99525"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 345}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `Swatinem/rust-cache` pinned to mutable ref `@v2`: `uses: Swatinem/rust-cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114381, "scanner": "repobility-supply-chain", "fingerprint": "d743ea2c67df120faae601793efecdb2c2460e01f6adcb34f4e07e2b750c61f3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d743ea2c67df120faae601793efecdb2c2460e01f6adcb34f4e07e2b750c61f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 307}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114380, "scanner": "repobility-supply-chain", "fingerprint": "12e768cdf2dacfcdd2e27ac917fcd4985a3c7be3e1633e72f3d93c29dc3b7e4d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12e768cdf2dacfcdd2e27ac917fcd4985a3c7be3e1633e72f3d93c29dc3b7e4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 301}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114379, "scanner": "repobility-supply-chain", "fingerprint": "c9c3634c75935e4186f017cacf64024299567250679a9494e20895a24aa2e1c6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c9c3634c75935e4186f017cacf64024299567250679a9494e20895a24aa2e1c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 296}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114378, "scanner": "repobility-supply-chain", "fingerprint": "2d5578104f06a8ce468d1f816649bd892241660438ef6f9264651190d19fe0f9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d5578104f06a8ce468d1f816649bd892241660438ef6f9264651190d19fe0f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 262}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114377, "scanner": "repobility-supply-chain", "fingerprint": "ac52a789f3dedb0df2e97c37418d3ede5cf20242c7ea96d9765d4b5bac5476ca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ac52a789f3dedb0df2e97c37418d3ede5cf20242c7ea96d9765d4b5bac5476ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114376, "scanner": "repobility-supply-chain", "fingerprint": "40a264b534898a4eae75b9f20bb18fa62dad2aeb4d716e4db672dea38206bbcf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40a264b534898a4eae75b9f20bb18fa62dad2aeb4d716e4db672dea38206bbcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114375, "scanner": "repobility-supply-chain", "fingerprint": "4202fdfc9b1ca711554a27b5f9e492a0b5d32329be3af7b3d8ae39336b330588", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4202fdfc9b1ca711554a27b5f9e492a0b5d32329be3af7b3d8ae39336b330588"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114374, "scanner": "repobility-supply-chain", "fingerprint": "26c4efccfa68c3136d55cff55098f438dad4bd4910797e682c181708883fe040", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26c4efccfa68c3136d55cff55098f438dad4bd4910797e682c181708883fe040"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114373, "scanner": "repobility-supply-chain", "fingerprint": "4023bd79d88c883d2e57190a7e8acc2dc966ed8d6a73dc5bdf76eaad0db489d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4023bd79d88c883d2e57190a7e8acc2dc966ed8d6a73dc5bdf76eaad0db489d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114372, "scanner": "repobility-supply-chain", "fingerprint": "e5af9986c45c448094b9ff8299138ded3b2b2a1c852b61906d9738ae0a45e457", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5af9986c45c448094b9ff8299138ded3b2b2a1c852b61906d9738ae0a45e457"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114371, "scanner": "repobility-supply-chain", "fingerprint": "489f5564c850d04a3e2a80b32e082654a76007a7c094439cbafa8c8e5f87a452", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|489f5564c850d04a3e2a80b32e082654a76007a7c094439cbafa8c8e5f87a452"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm-publish.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114370, "scanner": "repobility-supply-chain", "fingerprint": "830a9e2811e1f04405b647b52944932ebc0f874d5a8cd3ea5d3937e8f617ad38", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|830a9e2811e1f04405b647b52944932ebc0f874d5a8cd3ea5d3937e8f617ad38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/forensics-check.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114369, "scanner": "repobility-supply-chain", "fingerprint": "8e345a3f6f49e50931679ea20ed04ba4f18dd1ef17e36a78412a2ee54a5765fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e345a3f6f49e50931679ea20ed04ba4f18dd1ef17e36a78412a2ee54a5765fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-audit.yml"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114368, "scanner": "repobility-supply-chain", "fingerprint": "724e3daea2b1c7a556436a57f68a64502b8d11ee20a59193ad831b9431ff68f9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|724e3daea2b1c7a556436a57f68a64502b8d11ee20a59193ad831b9431ff68f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-audit.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114367, "scanner": "repobility-supply-chain", "fingerprint": "df8434e8f3da30835737b2d05d16c05bfd1caaf79f250fe5a8c88e9a9cda3d10", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df8434e8f3da30835737b2d05d16c05bfd1caaf79f250fe5a8c88e9a9cda3d10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-audit.yml"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114366, "scanner": "repobility-supply-chain", "fingerprint": "e8308ca989be4d510df010399c9c9b4fe9260e2e41bffac1e2e370a3a0086fb6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e8308ca989be4d510df010399c9c9b4fe9260e2e41bffac1e2e370a3a0086fb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-audit.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114365, "scanner": "repobility-supply-chain", "fingerprint": "5485cfd4cae21647d4bf4a7bbc17b1f27fd7d553467510eb311d29354a238b2b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5485cfd4cae21647d4bf4a7bbc17b1f27fd7d553467510eb311d29354a238b2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-audit.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114364, "scanner": "repobility-supply-chain", "fingerprint": "2573e3669798c0c7f0584a45ecd3a85114221cc41c5c7be2c7068d5bdf749945", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2573e3669798c0c7f0584a45ecd3a85114221cc41c5c7be2c7068d5bdf749945"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/agent-workflow-guard.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114363, "scanner": "repobility-supply-chain", "fingerprint": "c4c8d823827df0d8760ca464872deb798f9172077714ae033634c253eb33f6fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4c8d823827df0d8760ca464872deb798f9172077714ae033634c253eb33f6fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/agent-workflow-guard.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114362, "scanner": "repobility-supply-chain", "fingerprint": "f3d864c1e26388b7e78526eead8b8883b8efe9963a9de479051364b9f856ea34", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f3d864c1e26388b7e78526eead8b8883b8efe9963a9de479051364b9f856ea34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pipeline.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114361, "scanner": "repobility-supply-chain", "fingerprint": "927f8c2b4dbcf762aaac3465409be05e53bfc7852e051a22a76fabfb84b8368d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|927f8c2b4dbcf762aaac3465409be05e53bfc7852e051a22a76fabfb84b8368d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/version-check.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114360, "scanner": "repobility-supply-chain", "fingerprint": "05847fedeef88a98bd83786f646d71c8005870ee7ce7e1f8b41a127a2a12cad2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05847fedeef88a98bd83786f646d71c8005870ee7ce7e1f8b41a127a2a12cad2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cleanup-dev-versions.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-bookworm-slim` not pinned by digest: `FROM node:24-bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 114359, "scanner": "repobility-supply-chain", "fingerprint": "76dc062e6f3705e052eddd5f735b671df743503ab9c6aa37b5367b5667d610c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76dc062e6f3705e052eddd5f735b671df743503ab9c6aa37b5367b5667d610c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.sandbox"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-bookworm` not pinned by digest: `FROM node:24-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 114358, "scanner": "repobility-supply-chain", "fingerprint": "67bd5084bc3d14ec07699a252051f23d74c493b0930d35fc2da134dcce140b35", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67bd5084bc3d14ec07699a252051f23d74c493b0930d35fc2da134dcce140b35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.ci-builder"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@opengsd/contracts` pulled from URL/Git: `dependencies.@opengsd/contracts` = `file:../packages/contracts` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 114357, "scanner": "repobility-supply-chain", "fingerprint": "088386e8c8e2658d8e2818a6a5acbe7c03b0cf3f9aeaa89e0ea0035c5ed72bdf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|088386e8c8e2658d8e2818a6a5acbe7c03b0cf3f9aeaa89e0ea0035c5ed72bdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vscode-extension/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-slim` not pinned by digest: `FROM node:24-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 114356, "scanner": "repobility-supply-chain", "fingerprint": "4ce184a7a777d8a79c0ae9b962fa7df5ba824589d88e325edd36ea160aaafd24", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ce184a7a777d8a79c0ae9b962fa7df5ba824589d88e325edd36ea160aaafd24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-slim` not pinned by digest: `FROM node:24-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 114355, "scanner": "repobility-supply-chain", "fingerprint": "0f2d2485af0f480c7afac83e5f9dace9c009173a24822e58c8990b91dddcc077", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f2d2485af0f480c7afac83e5f9dace9c009173a24822e58c8990b91dddcc077"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-bookworm` not pinned by digest: `FROM node:24-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 114354, "scanner": "repobility-supply-chain", "fingerprint": "beff8ba345054a1ae2e883981ab2d57dfa349f2b4cccf65177f5862912048b77", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|beff8ba345054a1ae2e883981ab2d57dfa349f2b4cccf65177f5862912048b77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_preserves_non_status_labels` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 114353, "scanner": "repobility-ast-engine", "fingerprint": "3be143136c79e6d7c54baab0eed4eae2d0dd472a55751569a1fefcfbe9731fb5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3be143136c79e6d7c54baab0eed4eae2d0dd472a55751569a1fefcfbe9731fb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/tests/test_github_project_setup.py"}, "region": {"startLine": 530}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_per_issue_failure_continues_and_exits_nonzero` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 114352, "scanner": "repobility-ast-engine", "fingerprint": "e83184e24339ada98ef726c19b5d76648633f3e0e8c5c53adff7a0109e7e6c84", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e83184e24339ada98ef726c19b5d76648633f3e0e8c5c53adff7a0109e7e6c84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/tests/test_github_project_setup.py"}, "region": {"startLine": 514}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_closed_milestone_exits_nonzero` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 114351, "scanner": "repobility-ast-engine", "fingerprint": "bae9c798b16dbeac839b2df8fd34974fcfbba6f23efba49db8af31619165da28", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bae9c798b16dbeac839b2df8fd34974fcfbba6f23efba49db8af31619165da28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/tests/test_github_project_setup.py"}, "region": {"startLine": 459}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_summary_counts_reported` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 114350, "scanner": "repobility-ast-engine", "fingerprint": "24fa5c56cabc126071f08123dbc18a367be6cf9db1c7fc074eca68fbdc663fd6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|24fa5c56cabc126071f08123dbc18a367be6cf9db1c7fc074eca68fbdc663fd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/tests/test_github_project_setup.py"}, "region": {"startLine": 441}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_creates_in_progress_label_when_missing` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 114349, "scanner": "repobility-ast-engine", "fingerprint": "2f8f6d437e64c35f940b841070a59c7dc4b445ac35cae8ac87ee0aeadf1123ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2f8f6d437e64c35f940b841070a59c7dc4b445ac35cae8ac87ee0aeadf1123ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/tests/test_github_project_setup.py"}, "region": {"startLine": 421}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_skips_already_in_progress_issues` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 114348, "scanner": "repobility-ast-engine", "fingerprint": "5a6619f5255220dca8c1ccbbd37f481a78319561333b95b819d2000a2c847f2f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5a6619f5255220dca8c1ccbbd37f481a78319561333b95b819d2000a2c847f2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/tests/test_github_project_setup.py"}, "region": {"startLine": 401}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._setup_repo` used but never assigned in __init__: Method `test_transitions_needs_grooming_to_in_progress` of class `TestMilestoneStart` reads `self._setup_repo`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 114347, "scanner": "repobility-ast-engine", "fingerprint": "6ee723ec668cd316b630c5894ecf479181512e264d56d581587142769ee3e4b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6ee723ec668cd316b630c5894ecf479181512e264d56d581587142769ee3e4b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/skills/github-workflows/references/gh/tests/test_github_project_setup.py"}, "region": {"startLine": 381}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 114339, "scanner": "repobility-journey-contract", "fingerprint": "9f17371cd2c6fd4e07bf3211a168b6cc6368b0b54eccce41ffdd28a72a18900c", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|248|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/components/gsd/onboarding/step-authenticate.tsx"}, "region": {"startLine": 248}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 114338, "scanner": "repobility-journey-contract", "fingerprint": "c0d9f659401cee86ef55dd465065b6d41b2e968fab23f9ee384f7bcbcbdbfcba", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|80|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-ai/src/providers/amazon-bedrock.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 114305, "scanner": "repobility-docker", "fingerprint": "79c614a2f0d5a363f094db330be24c755b5b35a348ab00b605beaed0de34cc88", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|79c614a2f0d5a363f094db330be24c755b5b35a348ab00b605beaed0de34cc88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.ci-builder"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 114302, "scanner": "repobility-docker", "fingerprint": "701f586d6fca7594f9245955c2237ab31d4e317004f9a9f2e1b0267d64602dbf", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|701f586d6fca7594f9245955c2237ab31d4e317004f9a9f2e1b0267d64602dbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC092", "level": "error", "message": {"text": "[SEC092] Go: SQL via fmt.Sprintf or string concat: SQL query constructed via Sprintf or `+` enables SQL injection. Ported from gosec G201 / G202 (Apache-2.0)."}, "properties": {"repobilityId": 114258, "scanner": "repobility-threat-engine", "fingerprint": "b85a0c191cb14048af1e98756ab6ad6ea41ef8d44a5c66c09bf73e3e029bbcd7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "db.exec(\n    \"CREATE UNIQUE INDEX IF NOT EXISTS idx_unit_dispatches_active_per_unit \"\n    +", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC092", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b85a0c191cb14048af1e98756ab6ad6ea41ef8d44a5c66c09bf73e3e029bbcd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/db-coordination-schema.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 114257, "scanner": "repobility-threat-engine", "fingerprint": "eaf77680b574b93cdd3e75978a479807eb1dcab40559b75da1f11cc0c9d1ad38", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"access-control-allow-origin\": \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eaf77680b574b93cdd3e75978a479807eb1dcab40559b75da1f11cc0c9d1ad38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/browser-tools/tools/network-mock.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 114256, "scanner": "repobility-threat-engine", "fingerprint": "3e5fe338aa9ed4c7ad1c221abfaace986e809a6def433a3ad5f8e8a751d3447b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e5fe338aa9ed4c7ad1c221abfaace986e809a6def433a3ad5f8e8a751d3447b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update-gsd-browser-local.mjs"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 114253, "scanner": "repobility-threat-engine", "fingerprint": "2213cfb784b3170e0ac20d94453bb35e95a0d6700871f7ce15a13686f8f909d9", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|141|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/summarize-prompt-context.cjs"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 114248, "scanner": "repobility-threat-engine", "fingerprint": "9cf52176b38abaee1f8102fdbdeae6f39b1ae24270f9857809906b22bc792395", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9cf52176b38abaee1f8102fdbdeae6f39b1ae24270f9857809906b22bc792395"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/examples/extensions/snake.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 114247, "scanner": "repobility-threat-engine", "fingerprint": "e0ef95f72f9f33739b70ad5e35a2b6a92b87269f4c236bd0ace52de77cc62095", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0ef95f72f9f33739b70ad5e35a2b6a92b87269f4c236bd0ace52de77cc62095"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/shared/gsd-browser-cli.ts"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 114246, "scanner": "repobility-threat-engine", "fingerprint": "10c5f2a58b00d2a543d7ef8ac98b761f6599f926285687ac4770a810225b1081", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10c5f2a58b00d2a543d7ef8ac98b761f6599f926285687ac4770a810225b1081"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/gsd/activity-log.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 114245, "scanner": "repobility-threat-engine", "fingerprint": "f0961f51e794ffa76a453fd9f369eadb9f5e89cda71de1209026a11f784e10ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f0961f51e794ffa76a453fd9f369eadb9f5e89cda71de1209026a11f784e10ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/examples/extensions/doom-overlay/doom/build.sh"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 114235, "scanner": "repobility-threat-engine", "fingerprint": "6e016f88744b23719e921bb51f26fce38280e7977acdea81f3d67caf3626f0c5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(rule", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6e016f88744b23719e921bb51f26fce38280e7977acdea81f3d67caf3626f0c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/src/core/tools/bash-interceptor.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 114234, "scanner": "repobility-threat-engine", "fingerprint": "a6da7211640ee8c8e3909cfa4e75b96c9c3995ef104894838eeb9e31130e5ab1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(options", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a6da7211640ee8c8e3909cfa4e75b96c9c3995ef104894838eeb9e31130e5ab1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/native/src/grep/index.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 114233, "scanner": "repobility-threat-engine", "fingerprint": "13a000662d21ac74582d350d6603d6001d43319b41a9ec22cc4c8fad755fbe86", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|13a000662d21ac74582d350d6603d6001d43319b41a9ec22cc4c8fad755fbe86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-modes/src/modes/interactive/components/session-selector-search.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 114232, "scanner": "repobility-threat-engine", "fingerprint": "a74649acbc8ec3a9626ae5b890b99665c41b28547da21c90023fafff9c161a79", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a74649acbc8ec3a9626ae5b890b99665c41b28547da21c90023fafff9c161a79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/examples/extensions/snake.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 114231, "scanner": "repobility-threat-engine", "fingerprint": "f42540538096d44f4abbf08e683e9f76653ba9ed066bdbea6b6a6eeb96e2435c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f42540538096d44f4abbf08e683e9f76653ba9ed066bdbea6b6a6eeb96e2435c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/session/agent-session-bash.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 114226, "scanner": "repobility-threat-engine", "fingerprint": "ab8a4dd0a9db494bc5d220532e87e82ccb8804534cc49015d4c6fb83102d48fa", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(resolvedInput", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|296|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/export-html/index.ts"}, "region": {"startLine": 296}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 114216, "scanner": "repobility-threat-engine", "fingerprint": "9f78bd61b877137e90d3aa871b716c63eab388896fe9b1e3d87c39c68950b023", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((line) => `<div class=\"ansi-line\">${ansiToHtml(line) || \"&nbsp;\"}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9f78bd61b877137e90d3aa871b716c63eab388896fe9b1e3d87c39c68950b023"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/export-html/ansi-to-html.ts"}, "region": {"startLine": 257}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 114215, "scanner": "repobility-threat-engine", "fingerprint": "a26ab5618951cfa5cdefc8bd59434f2648f56546edda6b31debe55f69be66e8f", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `${k}=${JSON.stringify(v)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a26ab5618951cfa5cdefc8bd59434f2648f56546edda6b31debe55f69be66e8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/compaction/utils.ts"}, "region": {"startLine": 192}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 114214, "scanner": "repobility-threat-engine", "fingerprint": "e8914fd683fb41ca798cbd53c20ba124f76692342b37e6005ea2392d80dbb4ea", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((name) => `--${name}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e8914fd683fb41ca798cbd53c20ba124f76692342b37e6005ea2392d80dbb4ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/agent-session-services.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 114212, "scanner": "repobility-threat-engine", "fingerprint": "1e8f99a55c7c266ed212a426dd55e49e557363c1ad310b2faa309a6300d21284", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1e8f99a55c7c266ed212a426dd55e49e557363c1ad310b2faa309a6300d21284"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/export-html/ansi-to-html.ts"}, "region": {"startLine": 207}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 114211, "scanner": "repobility-threat-engine", "fingerprint": "ba4176a43c79a051223623e72b5b5fb9293b9364dc6a7e35dfbe1c34749c16aa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ba4176a43c79a051223623e72b5b5fb9293b9364dc6a7e35dfbe1c34749c16aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/bash-executor.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 114210, "scanner": "repobility-threat-engine", "fingerprint": "8578a2f80d8b51d96587096aa4b05bc8d213a44e06dd5e2b77c4841ffd0e3307", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8578a2f80d8b51d96587096aa4b05bc8d213a44e06dd5e2b77c4841ffd0e3307"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/daemon/src/launchd.ts"}, "region": {"startLine": 134}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 114198, "scanner": "repobility-threat-engine", "fingerprint": "0b79fb453f0e907e846239d6a2a3c61195d6c3886b8384b72ef0357cc47b90c3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0b79fb453f0e907e846239d6a2a3c61195d6c3886b8384b72ef0357cc47b90c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/gsd-agent-core/src/lifecycle-hooks.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 114197, "scanner": "repobility-threat-engine", "fingerprint": "29c73cddf563fb40f4f40344ecb1077f8bb48f3b352fb524c8228b15ee7e307f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|29c73cddf563fb40f4f40344ecb1077f8bb48f3b352fb524c8228b15ee7e307f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/daemon/src/cloud-runtime.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 114196, "scanner": "repobility-threat-engine", "fingerprint": "0c603eee294ab3961c41952f0426f794cdcef4ceb873a94b60374736ac43a8f8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0c603eee294ab3961c41952f0426f794cdcef4ceb873a94b60374736ac43a8f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/daemon/src/cloud-config.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 114194, "scanner": "repobility-threat-engine", "fingerprint": "af8c856ba3bfd0de3d6c7cd07981a877cbe719b5d59fc83e94f6eafc953c585a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "socket.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|af8c856ba3bfd0de3d6c7cd07981a877cbe719b5d59fc83e94f6eafc953c585a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cloud-mcp-gateway/src/server.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 114193, "scanner": "repobility-threat-engine", "fingerprint": "ac28987e35e25073f03fb36d28ec7ae7ec87528ec99560cc2004d09504418dd3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.send(runtime, { type: \"cancel\", requestId });", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ac28987e35e25073f03fb36d28ec7ae7ec87528ec99560cc2004d09504418dd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cloud-mcp-gateway/src/runtime-registry.ts"}, "region": {"startLine": 170}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 114192, "scanner": "repobility-threat-engine", "fingerprint": "66d5fd483986a2b13ecd75641ed31abf8a0bfec26b8bd159d70c9935b78d33e2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.persist();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|66d5fd483986a2b13ecd75641ed31abf8a0bfec26b8bd159d70c9935b78d33e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cloud-mcp-gateway/src/auth-store.ts"}, "region": {"startLine": 145}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 114252, "scanner": "repobility-threat-engine", "fingerprint": "dab3c862f4acb97a9a9cbabbc90abedec34ee96dbcd4eeb20e17849bf116286c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(join", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dab3c862f4acb97a9a9cbabbc90abedec34ee96dbcd4eeb20e17849bf116286c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/install/detect-existing.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 114251, "scanner": "repobility-threat-engine", "fingerprint": "948d34325cfc1237ac79fa610a8b3f97a98d6b75863884816498a19f46ba4c49", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(join", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|948d34325cfc1237ac79fa610a8b3f97a98d6b75863884816498a19f46ba4c49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/install/banner.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 114244, "scanner": "repobility-threat-engine", "fingerprint": "3e22c1a952e6b552a9f09986a972fb6293ac3c7192cd78b30e7510f668f09be1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e22c1a952e6b552a9f09986a972fb6293ac3c7192cd78b30e7510f668f09be1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-coding-agent/examples/extensions/doom-overlay/doom-engine.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 114238, "scanner": "repobility-threat-engine", "fingerprint": "0a521d61bae03362926d857fd4c2df964ef45723532a492db635e20bd13d24fe", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0a521d61bae03362926d857fd4c2df964ef45723532a492db635e20bd13d24fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/resources/extensions/visual-brief/prompts.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 114237, "scanner": "repobility-threat-engine", "fingerprint": "03a61d48c949a1199a2ff47a2f6cc8e641355dd650845b20cc8d677e80883e95", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|03a61d48c949a1199a2ff47a2f6cc8e641355dd650845b20cc8d677e80883e95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pi-agent-core/src/harness/prompt-templates.ts"}, "region": {"startLine": 85}}}]}]}]}