{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE "}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/upload/jobs/:id."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /api/users/me/setti"}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /api/users/me/settings."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q6x5-8v7m-xcrf", "name": "protobufjs: GHSA-q6x5-8v7m-xcrf", "shortDescription": {"text": "protobufjs: GHSA-q6x5-8v7m-xcrf"}, "fullDescription": {"text": "protobufjs has overlong UTF-8 decoding"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jggg-4jg4-v7c6", "name": "protobufjs: GHSA-jggg-4jg4-v7c6", "shortDescription": {"text": "protobufjs: GHSA-jggg-4jg4-v7c6"}, "fullDescription": {"text": "protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fx83-v9x8-x52w", "name": "protobufjs: GHSA-fx83-v9x8-x52w", "shortDescription": {"text": "protobufjs: GHSA-fx83-v9x8-x52w"}, "fullDescription": {"text": "protobuf.js: Prototype injection in generated message constructors"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2pr8-phx7-x9h3", "name": "protobufjs: GHSA-2pr8-phx7-x9h3", "shortDescription": {"text": "protobufjs: GHSA-2pr8-phx7-x9h3"}, "fullDescription": {"text": "protobuf.js: Denial of service from crafted field names in generated code"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mwcw-c2x4-8c55", "name": "nanoid: GHSA-mwcw-c2x4-8c55", "shortDescription": {"text": "nanoid: GHSA-mwcw-c2x4-8c55"}, "fullDescription": {"text": "Predictable results in nanoid generation when given non-integer values"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash-es: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash-es: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash-es: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash-es: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v9jr-rg53-9pgp", "name": "dompurify: GHSA-v9jr-rg53-9pgp", "shortDescription": {"text": "dompurify: GHSA-v9jr-rg53-9pgp"}, "fullDescription": {"text": "DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2wj-7wpq-c8vv", "name": "dompurify: GHSA-v2wj-7wpq-c8vv", "shortDescription": {"text": "dompurify: GHSA-v2wj-7wpq-c8vv"}, "fullDescription": {"text": "DOMPurify contains a Cross-site Scripting vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-h8r8-wccr-v5f2", "name": "dompurify: GHSA-h8r8-wccr-v5f2", "shortDescription": {"text": "dompurify: GHSA-h8r8-wccr-v5f2"}, "fullDescription": {"text": "DOMPurify is vulnerable to mutation-XSS via Re-Contextualization "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-h7mw-gpvr-xq4m", "name": "dompurify: GHSA-h7mw-gpvr-xq4m", "shortDescription": {"text": "dompurify: GHSA-h7mw-gpvr-xq4m"}, "fullDescription": {"text": "DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-crv5-9vww-q3g8", "name": "dompurify: GHSA-crv5-9vww-q3g8", "shortDescription": {"text": "dompurify: GHSA-crv5-9vww-q3g8"}, "fullDescription": {"text": "DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cjmm-f4jc-qw8r", "name": "dompurify: GHSA-cjmm-f4jc-qw8r", "shortDescription": {"text": "dompurify: GHSA-cjmm-f4jc-qw8r"}, "fullDescription": {"text": "DOMPurify ADD_ATTR predicate skips URI validation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-cj63-jhhr-wcxv", "name": "dompurify: GHSA-cj63-jhhr-wcxv", "shortDescription": {"text": "dompurify: GHSA-cj63-jhhr-wcxv"}, "fullDescription": {"text": "DOMPurify USE_PROFILES prototype pollution allows event handlers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-39q2-94rc-95cp", "name": "dompurify: GHSA-39q2-94rc-95cp", "shortDescription": {"text": "dompurify: GHSA-39q2-94rc-95cp"}, "fullDescription": {"text": "DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC105", "name": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted ove", "shortDescription": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "fullDescription": {"text": "Always set HttpOnly=true, Secure=true (in production), SameSite=Lax or Strict. For Express: `res.cookie(name, val, { httpOnly: true, secure: true, sameSite: 'lax' })`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Intervals created in React hooks or components should be cleared on unmount. Missing cleanup can keep stale callbacks alive after recording, polling, or overlay components close."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `pdf-parse` is 1 major version(s) behind (1.1.1 -> 2.4.5)", "shortDescription": {"text": "npm package `pdf-parse` is 1 major version(s) behind (1.1.1 -> 2.4.5)"}, "fullDescription": {"text": "`pdf-parse` is pinned/resolved at 1.1.1 but the latest stable release on the npm registry is 2.4.5 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED124", "name": "requirements.txt: `mock` has no version pin", "shortDescription": {"text": "requirements.txt: `mock` has no version pin"}, "fullDescription": {"text": "Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `find_duplicate` has cognitive complexity 9 (SonarSource scale). Cognitive", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `find_duplicate` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 9."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 5 more): Same pattern found in 5 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 80 more): Same pattern found in 80 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 80 more): Same pattern found in 80 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 30 more): Same pattern found in 30 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 6 more): Same pattern found in 6 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/users/r/:id."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/users/r/:id."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "GHSA-8x6r-g9mw-2r78", "name": "react-router: GHSA-8x6r-g9mw-2r78", "shortDescription": {"text": "react-router: GHSA-8x6r-g9mw-2r78"}, "fullDescription": {"text": "React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v39h-62p7-jpjc", "name": "fast-uri: GHSA-v39h-62p7-jpjc", "shortDescription": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "fullDescription": {"text": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3j6-qgpj-74h6", "name": "fast-uri: GHSA-q3j6-qgpj-74h6", "shortDescription": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "fullDescription": {"text": "fast-uri vulnerable to path traversal via percent-encoded dot segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fv7c-fp4j-7gwp", "name": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp", "shortDescription": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "fullDescription": {"text": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5pgg-2g8v-p4x9", "name": "xlsx: GHSA-5pgg-2g8v-p4x9", "shortDescription": {"text": "xlsx: GHSA-5pgg-2g8v-p4x9"}, "fullDescription": {"text": "SheetJS Regular Expression Denial of Service (ReDoS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4r6h-8v6p-xvw6", "name": "xlsx: GHSA-4r6h-8v6p-xvw6", "shortDescription": {"text": "xlsx: GHSA-4r6h-8v6p-xvw6"}, "fullDescription": {"text": "Prototype Pollution in sheetJS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jvwf-75h9-cwgg", "name": "protobufjs: GHSA-jvwf-75h9-cwgg", "shortDescription": {"text": "protobufjs: GHSA-jvwf-75h9-cwgg"}, "fullDescription": {"text": "protobuf.js: Process-wide denial of service through unsafe option paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-75px-5xx7-5xc7", "name": "protobufjs: GHSA-75px-5xx7-5xc7", "shortDescription": {"text": "protobufjs: GHSA-75px-5xx7-5xc7"}, "fullDescription": {"text": "protobuf.js: Code generation gadget after prototype pollution"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-685m-2w69-288q", "name": "protobufjs: GHSA-685m-2w69-288q", "shortDescription": {"text": "protobufjs: GHSA-685m-2w69-288q"}, "fullDescription": {"text": "protobuf.js: Denial of service through unbounded protobuf recursion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-66ff-xgx4-vchm", "name": "protobufjs: GHSA-66ff-xgx4-vchm", "shortDescription": {"text": "protobufjs: GHSA-66ff-xgx4-vchm"}, "fullDescription": {"text": "protobuf.js: Code injection through bytes field defaults in generated toObject code"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash-es: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash-es: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-x6wf-f3px-wcqx", "name": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx", "shortDescription": {"text": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx"}, "fullDescription": {"text": "xmldom has XML node injection through unvalidated processing instruction serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-j759-j44w-7fr8", "name": "@xmldom/xmldom: GHSA-j759-j44w-7fr8", "shortDescription": {"text": "@xmldom/xmldom: GHSA-j759-j44w-7fr8"}, "fullDescription": {"text": "xmldom has XML node injection through unvalidated comment serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f6ww-3ggp-fr8h", "name": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h", "shortDescription": {"text": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h"}, "fullDescription": {"text": "xmldom has XML injection through unvalidated DocumentType serialization"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2v35-w6hq-6mfw", "name": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw", "shortDescription": {"text": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw"}, "fullDescription": {"text": "xmldom: Uncontrolled recursion in XML serialization leads to DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v6`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "fullDescription": {"text": "`uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "package.json dep `xlsx` pulled from URL/Git", "shortDescription": {"text": "package.json dep `xlsx` pulled from URL/Git"}, "fullDescription": {"text": "`dependencies.xlsx` = `https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express PATCH /api/chat/conversations/:id has no auth", "shortDescription": {"text": "Express PATCH /api/chat/conversations/:id has no auth"}, "fullDescription": {"text": "Express route PATCH /api/chat/conversations/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "FastAPI PATCH helpers.write_apkg.FastPackage has no auth", "shortDescription": {"text": "FastAPI PATCH helpers.write_apkg.FastPackage has no auth"}, "fullDescription": {"text": "Handler `test_write_new_apkg_empty_deck_list` is registered with router/app.patch(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.assertEqual` used but never assigned in __init__", "shortDescription": {"text": "`self.assertEqual` used but never assigned in __init__"}, "fullDescription": {"text": "Method `test_web_lint_failure_denies` of class `TestWebScope` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "A frontend flow appears to combine a caller-controlled callback/redirect parameter with a token-bearing URL or fragment. This can exfiltrate sessions when callback validation is incomplete."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "aws-access-token", "name": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on ", "shortDescription": {"text": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.CLAUDE_CODE_OAUTH_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.CLAUDE_CODE_OAUTH_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLAUDE_CODE_OAUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1260"}, "properties": {"repository": "2anki/server", "repoUrl": "https://github.com/2anki/server", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 127754, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 127753, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127748, "scanner": "repobility-journey-contract", "fingerprint": "0eeadf081877ec0306d546c7d54093b94db37014d5dd3b13f4b476ba97c37251", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/apkg/{param}/media/{param}", "correlation_key": "fp|0eeadf081877ec0306d546c7d54093b94db37014d5dd3b13f4b476ba97c37251", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/ApkgRouter.ts"}, "region": {"startLine": 152}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127747, "scanner": "repobility-journey-contract", "fingerprint": "a6c3c522a61869c9e831bbaa526058bd4b34b90b21c4419e9f3a504ac01edfc1", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ankify/webhook/notion", "correlation_key": "fp|a6c3c522a61869c9e831bbaa526058bd4b34b90b21c4419e9f3a504ac01edfc1", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyWebhookRouter.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127746, "scanner": "repobility-journey-contract", "fingerprint": "121c01d7bb70a11c44365d7bff3033b19710c0729fbb0d61f61285d95bf1bdf0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ankify/clients/active/anki-web-status", "correlation_key": "fp|121c01d7bb70a11c44365d7bff3033b19710c0729fbb0d61f61285d95bf1bdf0", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyRouter.ts"}, "region": {"startLine": 806}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127745, "scanner": "repobility-journey-contract", "fingerprint": "e8a0c8be6790bd6052b6820bafeffd9ea9b483039cc234041e69e11ad2837d3c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ankify/clients/active/ready", "correlation_key": "fp|e8a0c8be6790bd6052b6820bafeffd9ea9b483039cc234041e69e11ad2837d3c", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyRouter.ts"}, "region": {"startLine": 792}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127744, "scanner": "repobility-journey-contract", "fingerprint": "ddd30677c0587b6d0d89e4a4e1fbd8dde1acbfcc560a173f5fdf86fcd31c7c21", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ankify/notion/databases", "correlation_key": "fp|ddd30677c0587b6d0d89e4a4e1fbd8dde1acbfcc560a173f5fdf86fcd31c7c21", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyRouter.ts"}, "region": {"startLine": 778}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127743, "scanner": "repobility-journey-contract", "fingerprint": "95d32d8e10f199c965ba1a802b59d1ceecffb3b902a89d7eccadea664162d2f5", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ankify/notion/databases", "correlation_key": "fp|95d32d8e10f199c965ba1a802b59d1ceecffb3b902a89d7eccadea664162d2f5", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyRouter.ts"}, "region": {"startLine": 773}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127742, "scanner": "repobility-journey-contract", "fingerprint": "da71942dc34e6134131e62b557604b53db11f0b902ce015d4cbb3f2ba545fc22", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ankify/conflicts/{param}/resolve", "correlation_key": "fp|da71942dc34e6134131e62b557604b53db11f0b902ce015d4cbb3f2ba545fc22", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyRouter.ts"}, "region": {"startLine": 743}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127741, "scanner": "repobility-journey-contract", "fingerprint": "f333cdb760329423145b01c385b72ef0e5d73764068d375e4e5dd52117ddd03b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ankify/subscriptions/{param}/refresh", "correlation_key": "fp|f333cdb760329423145b01c385b72ef0e5d73764068d375e4e5dd52117ddd03b", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyRouter.ts"}, "region": {"startLine": 712}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127740, "scanner": "repobility-journey-contract", "fingerprint": "8e035a4378b7b54d6a871c7399254aeb9390b3c02a78b6e687a9fdb48048e968", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ankify/subscriptions/{param}", "correlation_key": "fp|8e035a4378b7b54d6a871c7399254aeb9390b3c02a78b6e687a9fdb48048e968", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyRouter.ts"}, "region": {"startLine": 679}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127739, "scanner": "repobility-journey-contract", "fingerprint": "8d1312dc8a0de1df2ca85ffde3dd0a702bdde9bbf285379a3cda862c797702aa", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ankify/exports/schedule", "correlation_key": "fp|8d1312dc8a0de1df2ca85ffde3dd0a702bdde9bbf285379a3cda862c797702aa", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyRouter.ts"}, "region": {"startLine": 635}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127738, "scanner": "repobility-journey-contract", "fingerprint": "0e727faacc18cbd73f2bfbecc45668f1e497448f8dc8aec2e18dfeee0c69ed88", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ankify/exports/schedule", "correlation_key": "fp|0e727faacc18cbd73f2bfbecc45668f1e497448f8dc8aec2e18dfeee0c69ed88", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyRouter.ts"}, "region": {"startLine": 630}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127737, "scanner": "repobility-journey-contract", "fingerprint": "c351030a2420517e734ef3b9b79870a20af0f78702c48548d9a501f17b959dc7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ankify/exports/schedule", "correlation_key": "fp|c351030a2420517e734ef3b9b79870a20af0f78702c48548d9a501f17b959dc7", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyRouter.ts"}, "region": {"startLine": 625}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127736, "scanner": "repobility-journey-contract", "fingerprint": "9ed0787125a4667a3bdf1cb4ace31d7b5d0511fefe4ff2631fcd2680727edbd2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ankify/exports/review-data", "correlation_key": "fp|9ed0787125a4667a3bdf1cb4ace31d7b5d0511fefe4ff2631fcd2680727edbd2", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyRouter.ts"}, "region": {"startLine": 585}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127735, "scanner": "repobility-journey-contract", "fingerprint": "868f17f585a50ad1db81d93ce6cc4d78d972f7ba4688741b20557eac61509445", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ankify/clients/{param}/reissue-session", "correlation_key": "fp|868f17f585a50ad1db81d93ce6cc4d78d972f7ba4688741b20557eac61509445", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyRouter.ts"}, "region": {"startLine": 539}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 127734, "scanner": "repobility-journey-contract", "fingerprint": "65bc7282ddf7866d54ac3700b3da295d2769643be2a9db1145cb53b4cfca70af", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/chat/message", "correlation_key": "fp|65bc7282ddf7866d54ac3700b3da295d2769643be2a9db1145cb53b4cfca70af", "backend_endpoint_count": 180}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/config/swagger.ts"}, "region": {"startLine": 574}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/upload/jobs/:id."}, "properties": {"repobilityId": 127732, "scanner": "repobility-access-control", "fingerprint": "8ee79ddcfcaff9bd5eaa146ceaef47858002989793892a1b9df3d2efd0ba7baf", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/upload/jobs/:id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|src/routes/uploadrouter.ts|454|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/UploadRouter.ts"}, "region": {"startLine": 454}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/favorite/remove."}, "properties": {"repobilityId": 127731, "scanner": "repobility-access-control", "fingerprint": "d840a2e5892c89260df1be057c0f72d11ac3be98deb14b9bc26412412c84f385", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/favorite/remove", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|124|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/FavoriteRouter.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/checks."}, "properties": {"repobilityId": 127730, "scanner": "repobility-access-control", "fingerprint": "6a4c75ad0ff8bd6f773963f021f2e363c182682a164685da959bd6051afeff24", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/checks", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|src/routes/checksrouter.ts|44|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/ChecksRouter.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/ops/errors/:messageHash/resolve."}, "properties": {"repobilityId": 127729, "scanner": "repobility-access-control", "fingerprint": "3279668db705ce7a3242a25b0d0f6cceeccb564305e103c870c3d5b1c50b45b5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/ops/errors/:messageHash/resolve", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|128|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/OpsErrorsRouter.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/ops/errors/:messageHash/resolve."}, "properties": {"repobilityId": 127728, "scanner": "repobility-access-control", "fingerprint": "5d79787eb3276eabff82fa52ac3283611f02b8905eeca3cf2a2672de01be7a72", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/ops/errors/:messageHash/resolve", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|125|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/OpsErrorsRouter.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/ops/errors/export."}, "properties": {"repobilityId": 127727, "scanner": "repobility-access-control", "fingerprint": "a58d30ca61f13e51875c4bdcb1a048c4dba9c38329c9b691f9c0dfae90783c85", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/ops/errors/export", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|84|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/OpsErrorsRouter.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/ops/errors."}, "properties": {"repobilityId": 127726, "scanner": "repobility-access-control", "fingerprint": "a527b980561cc74519527c3483b6520f8e787d6a6332fa8b219c9fb63ac55886", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/ops/errors", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|57|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/OpsErrorsRouter.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/showcase."}, "properties": {"repobilityId": 127725, "scanner": "repobility-access-control", "fingerprint": "cc4d75bd92a92f71e4a66fb22f5e1197b4881458d25705c1e054a048c1a1919e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/showcase", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|26|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/ShowcaseRouter.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/users/link_email."}, "properties": {"repobilityId": 127724, "scanner": "repobility-access-control", "fingerprint": "571c4baff4c1b402601740390c41f857d5791e60ea1a58ac7c6d504b964d53d4", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/users/link_email", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|web/mock-server/server.js|201|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/mock-server/server.js"}, "region": {"startLine": 201}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/users/debug/locals."}, "properties": {"repobilityId": 127723, "scanner": "repobility-access-control", "fingerprint": "03db5c30870f4cfded7fd2c19a116acb39ba1d1a9f7b47d9446444029eafef2b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/users/debug/locals", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|web/mock-server/server.js|161|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/mock-server/server.js"}, "region": {"startLine": 161}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /api/users/me/settings."}, "properties": {"repobilityId": 127722, "scanner": "repobility-access-control", "fingerprint": "243f8b55350e0e52c2efe286a1734b8b59dcf7eab497b7926730b5441798656d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/users/me/settings", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|317|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/SettingsRouter.ts"}, "region": {"startLine": 317}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/settings/list."}, "properties": {"repobilityId": 127721, "scanner": "repobility-access-control", "fingerprint": "9111ed53575ee6b4ff9121d270876c779fd286bd050261f8e4e86494618b9ef9", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/settings/list", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|293|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/SettingsRouter.ts"}, "region": {"startLine": 293}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/settings/card-options."}, "properties": {"repobilityId": 127720, "scanner": "repobility-access-control", "fingerprint": "660b863d5a8ccfc8c463387bec7a5cfbf8ee93b3b01ababdb0388fe0534f1f09", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/settings/card-options", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|246|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/SettingsRouter.ts"}, "region": {"startLine": 246}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/settings/default."}, "properties": {"repobilityId": 127719, "scanner": "repobility-access-control", "fingerprint": "bc766b09bf3a51315df12f13ec7fae9c2b1c836a984d68e0f29c9483ce807e8c", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/settings/default", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|209|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/SettingsRouter.ts"}, "region": {"startLine": 209}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/settings/find/:id."}, "properties": {"repobilityId": 127718, "scanner": "repobility-access-control", "fingerprint": "075c39c9aea62023b5fa8de4cf489e7fb93171174c3d2245c99ac13a5a9281dc", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/settings/find/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|183|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/SettingsRouter.ts"}, "region": {"startLine": 183}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/settings/delete/:id."}, "properties": {"repobilityId": 127717, "scanner": "repobility-access-control", "fingerprint": "0c5958c44c45426813373f785472c595532e348b23cce65586ecd54a442e0a58", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/settings/delete/:id", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|132|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/SettingsRouter.ts"}, "region": {"startLine": 132}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/settings/create/:id."}, "properties": {"repobilityId": 127716, "scanner": "repobility-access-control", "fingerprint": "d7bd2dea4a9ea5cb357ad212a8f0cff2d0d447c252ce9cde54702315b0843a23", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/settings/create/:id", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|91|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/SettingsRouter.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 127709, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 127707, "scanner": "osv-scanner", "fingerprint": "6b31393a3809bb9be986d0190c0d4b840d11b21b2f85239b6a256762f01f3187", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|web/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 127701, "scanner": "osv-scanner", "fingerprint": "0727364e57c088dabd2840fd21980edb99b147969b7db2965e7188703dcea5f1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q6x5-8v7m-xcrf", "level": "warning", "message": {"text": "protobufjs: GHSA-q6x5-8v7m-xcrf"}, "properties": {"repobilityId": 127700, "scanner": "osv-scanner", "fingerprint": "b33b79b9fd59696cb77135929c6310e23f3a0a6c87ae9168d2d9b3da75d1a04c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44288"], "package": "protobufjs", "rule_id": "GHSA-q6x5-8v7m-xcrf", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44288|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jggg-4jg4-v7c6", "level": "warning", "message": {"text": "protobufjs: GHSA-jggg-4jg4-v7c6"}, "properties": {"repobilityId": 127698, "scanner": "osv-scanner", "fingerprint": "0664e00c888b84ac96a0b8a56d84d5cd748a252430672c53387339c342017e33", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45740"], "package": "protobufjs", "rule_id": "GHSA-jggg-4jg4-v7c6", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-45740|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fx83-v9x8-x52w", "level": "warning", "message": {"text": "protobufjs: GHSA-fx83-v9x8-x52w"}, "properties": {"repobilityId": 127697, "scanner": "osv-scanner", "fingerprint": "0ad003d1cc4016716b428cda485455c497f4cc5289489ada690c9ab0efc3e45b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44292"], "package": "protobufjs", "rule_id": "GHSA-fx83-v9x8-x52w", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44292|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2pr8-phx7-x9h3", "level": "warning", "message": {"text": "protobufjs: GHSA-2pr8-phx7-x9h3"}, "properties": {"repobilityId": 127693, "scanner": "osv-scanner", "fingerprint": "5da42f8ba9e9360d2afb80e2f8025fce28f6ece32ae33683a7d45627612a4958", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44294"], "package": "protobufjs", "rule_id": "GHSA-2pr8-phx7-x9h3", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44294|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mwcw-c2x4-8c55", "level": "warning", "message": {"text": "nanoid: GHSA-mwcw-c2x4-8c55"}, "properties": {"repobilityId": 127692, "scanner": "osv-scanner", "fingerprint": "5ab29893c2d14e0bfbe5c589bd65659abd6616e61aac03ab1c5fa9b6c850b05a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-55565"], "package": "nanoid", "rule_id": "GHSA-mwcw-c2x4-8c55", "scanner": "osv-scanner", "correlation_key": "vuln|nanoid|CVE-2024-55565|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash-es: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 127691, "scanner": "osv-scanner", "fingerprint": "e6345ac7f5d39839bda500a356c543a5aec16ad0fcd4a36b67003b6fcd4189fe", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash-es", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash-es|CVE-2025-13465|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash-es: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 127689, "scanner": "osv-scanner", "fingerprint": "b90ae8d551f6d818b64e90dd68be738ed46fcc6fa2db637b203517b71986c2ba", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash-es", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash-es|CVE-2026-2950|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v9jr-rg53-9pgp", "level": "warning", "message": {"text": "dompurify: GHSA-v9jr-rg53-9pgp"}, "properties": {"repobilityId": 127688, "scanner": "osv-scanner", "fingerprint": "fe29f6c2ee4d60a6b43c1523af3de2b8e470e80a1a60d1e3ac346be5421b7c5c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41238"], "package": "dompurify", "rule_id": "GHSA-v9jr-rg53-9pgp", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|CVE-2026-41238|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2wj-7wpq-c8vv", "level": "warning", "message": {"text": "dompurify: GHSA-v2wj-7wpq-c8vv"}, "properties": {"repobilityId": 127687, "scanner": "osv-scanner", "fingerprint": "eb40d8741074d68235dd6bf7b9d8d2f2d9dcb58ebffc986f94151f7beaaf314a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-0540"], "package": "dompurify", "rule_id": "GHSA-v2wj-7wpq-c8vv", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|CVE-2026-0540|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-h8r8-wccr-v5f2", "level": "warning", "message": {"text": "dompurify: GHSA-h8r8-wccr-v5f2"}, "properties": {"repobilityId": 127686, "scanner": "osv-scanner", "fingerprint": "796a02be5960a7ec4e181f4caa0055e35bf76f77b00674e2637135ec98f8c117", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "dompurify", "rule_id": "GHSA-h8r8-wccr-v5f2", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|GHSA-H8R8-WCCR-V5F2|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-h7mw-gpvr-xq4m", "level": "warning", "message": {"text": "dompurify: GHSA-h7mw-gpvr-xq4m"}, "properties": {"repobilityId": 127685, "scanner": "osv-scanner", "fingerprint": "b790519639ef959d4e63a1af8a9726a758acef79215821cdca62cb9f799c5f7c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41240"], "package": "dompurify", "rule_id": "GHSA-h7mw-gpvr-xq4m", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|CVE-2026-41240|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-crv5-9vww-q3g8", "level": "warning", "message": {"text": "dompurify: GHSA-crv5-9vww-q3g8"}, "properties": {"repobilityId": 127684, "scanner": "osv-scanner", "fingerprint": "f512e1582fab74322b0e31a60e220e92ff8e377e435285f5b1a187533612cc51", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41239"], "package": "dompurify", "rule_id": "GHSA-crv5-9vww-q3g8", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|CVE-2026-41239|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cjmm-f4jc-qw8r", "level": "warning", "message": {"text": "dompurify: GHSA-cjmm-f4jc-qw8r"}, "properties": {"repobilityId": 127683, "scanner": "osv-scanner", "fingerprint": "97e9d778c720bb41fdaf98f2782b49cda2c583579eca94341b3ff1d79a4b71de", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "dompurify", "rule_id": "GHSA-cjmm-f4jc-qw8r", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|GHSA-CJMM-F4JC-QW8R|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-cj63-jhhr-wcxv", "level": "warning", "message": {"text": "dompurify: GHSA-cj63-jhhr-wcxv"}, "properties": {"repobilityId": 127682, "scanner": "osv-scanner", "fingerprint": "2547fe9dd3f8c7cb609a093be213dda5aa967e2e6df1f81590fbb12311c0a9ed", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "dompurify", "rule_id": "GHSA-cj63-jhhr-wcxv", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|GHSA-CJ63-JHHR-WCXV|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-39q2-94rc-95cp", "level": "warning", "message": {"text": "dompurify: GHSA-39q2-94rc-95cp"}, "properties": {"repobilityId": 127681, "scanner": "osv-scanner", "fingerprint": "abaa2e6834b6c948c1d59653cf161273479d607035b8f0ecdf7aa4619ab67969", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "dompurify", "rule_id": "GHSA-39q2-94rc-95cp", "scanner": "osv-scanner", "correlation_key": "vuln|dompurify|GHSA-39Q2-94RC-95CP|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q6x5-8v7m-xcrf", "level": "warning", "message": {"text": "@protobufjs/utf8: GHSA-q6x5-8v7m-xcrf"}, "properties": {"repobilityId": 127676, "scanner": "osv-scanner", "fingerprint": "b62fed364cd355ddef3ec7c6769e67069bf83d0dc793e36036cab5b49f69c743", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44288"], "package": "@protobufjs/utf8", "rule_id": "GHSA-q6x5-8v7m-xcrf", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs/utf8|CVE-2026-44288|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 127656, "scanner": "repobility-threat-engine", "fingerprint": "8221b978f19d46fa7ca31674a29e233158953b7a6e19183d8c8a067626ca91f4", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = result.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8221b978f19d46fa7ca31674a29e233158953b7a6e19183d8c8a067626ca91f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/pages/DownloadsPage/components/PaywallBanner.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 127655, "scanner": "repobility-threat-engine", "fingerprint": "c8957f03112f503b99605d3cbe13a79010f88a3c0385f195fd62608da8cba9f1", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = result.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c8957f03112f503b99605d3cbe13a79010f88a3c0385f195fd62608da8cba9f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/pages/DownloadsPage/components/DeckFeedbackPrompt.tsx"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 127654, "scanner": "repobility-threat-engine", "fingerprint": "2b71b5ac7c2cff5950146909acf62b859a301896c854af38285e2651cb0d967c", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = result.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2b71b5ac7c2cff5950146909acf62b859a301896c854af38285e2651cb0d967c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/UpsellCard/UpsellCard.tsx"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC105", "level": "warning", "message": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "properties": {"repobilityId": 127640, "scanner": "repobility-threat-engine", "fingerprint": "e756f2fd885d849c75c283a9a0b3810cd7c1e9478cd23cdbada9fb348cca3377", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".cookie(ANON_ID_COOKIE, id, {\n    maxAge: ONE_YEAR_MS,\n    sameSite: 'lax',\n    httpOnly: false", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC105", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e756f2fd885d849c75c283a9a0b3810cd7c1e9478cd23cdbada9fb348cca3377"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/middleware/anonIdMiddleware.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 127601, "scanner": "repobility-threat-engine", "fingerprint": "ac8706199bd05ec3558f4d330b6b198efde85fcf73e8599004cc53028040189f", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "re.compile(r\"\\brm\\s+(?:-[rRfvi]+\\s+)+", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ac8706199bd05ec3558f4d330b6b198efde85fcf73e8599004cc53028040189f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/safety.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 127590, "scanner": "repobility-threat-engine", "fingerprint": "ae9eedad6e27c572550fa816f3b515f88ed6e9faaa2870ecd883b2c2e2b82467", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|82|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifySessionProxyRouter.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 127589, "scanner": "repobility-threat-engine", "fingerprint": "569f1977479ae270ee6ae7bb291ef3351f96a797bb98f32a099f1be3fe0cc2db", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|72|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-write-secret-scan.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 127588, "scanner": "repobility-threat-engine", "fingerprint": "0670abfdcd333c958acfaa4e492861c9a477c40e6184d88f6621bbae4ac6f4a8", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|41|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/caveman/hooks/caveman-mode-tracker.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 127587, "scanner": "repobility-threat-engine", "fingerprint": "8b3e34fe0dc25725e8e2c5dc9a463edd9a61d03c1fd84eaa11c362dc58a2ecdd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n        committed = subprocess.run(\n            [\"git\", \"diff\", \"--name-only\", \"origin/main...H", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8b3e34fe0dc25725e8e2c5dc9a463edd9a61d03c1fd84eaa11c362dc58a2ecdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 127586, "scanner": "repobility-threat-engine", "fingerprint": "08e1f76b300adab7db20de30c59d50d45e20152a551475c1fb5f6f40ed2e4498", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n      return null;\n    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|08e1f76b300adab7db20de30c59d50d45e20152a551475c1fb5f6f40ed2e4498"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/caveman/hooks/caveman-config.js"}, "region": {"startLine": 165}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 127584, "scanner": "repobility-threat-engine", "fingerprint": "3d0846a33529649d3f0a89e513707a9efba7c524923826676117dfabbed39c24", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3d0846a33529649d3f0a89e513707a9efba7c524923826676117dfabbed39c24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/usecases/apkg/ImportApkgToNotionUseCase.ts"}, "region": {"startLine": 158}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 127583, "scanner": "repobility-threat-engine", "fingerprint": "e8761b43e13871da660178dbd5f650343fd537a468905f1044691c0322986d54", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e8761b43e13871da660178dbd5f650343fd537a468905f1044691c0322986d54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/caveman/hooks/caveman-mode-tracker.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 127582, "scanner": "repobility-threat-engine", "fingerprint": "022ca113eff91bfa7d427e9a8f47ed674bcbdf2f4d395ba824ba1210ce0035b1", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|022ca113eff91bfa7d427e9a8f47ed674bcbdf2f4d395ba824ba1210ce0035b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/caveman/hooks/caveman-activate.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 127579, "scanner": "repobility-agent-runtime", "fingerprint": "cae5e61428465fa894f6b2fe9e2fee95675bf2a4db46070d5f98c15b4217ba19", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|cae5e61428465fa894f6b2fe9e2fee95675bf2a4db46070d5f98c15b4217ba19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/inactivity/jobs/scheduleInactivityWarnings.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 127578, "scanner": "repobility-agent-runtime", "fingerprint": "6270ac22c1ac7511c3826b7cefde6e79da8d4b8095aa275d2424cea6199c5950", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|6270ac22c1ac7511c3826b7cefde6e79da8d4b8095aa275d2424cea6199c5950"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/inactivity/jobs/scheduleInactiveUserDeletions.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 127577, "scanner": "repobility-agent-runtime", "fingerprint": "af606196820ed9eb409c6331dcd44a8c847d1a15ac9811947b2841a8819bb3c8", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|af606196820ed9eb409c6331dcd44a8c847d1a15ac9811947b2841a8819bb3c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/ankify/jobs/scheduleAnkifyPolling.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `pdf-parse` is 1 major version(s) behind (1.1.1 -> 2.4.5)"}, "properties": {"repobilityId": 127574, "scanner": "repobility-dependency-currency", "fingerprint": "04a547e8bdbb679de7ac2d0da4d264924d77b9721222f71bdc877af258adbcdc", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pdf-parse", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.4.5", "correlation_key": "fp|04a547e8bdbb679de7ac2d0da4d264924d77b9721222f71bdc877af258adbcdc", "current_version": "1.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `mock` has no version pin"}, "properties": {"repobilityId": 127530, "scanner": "repobility-supply-chain", "fingerprint": "81d48a0212c1dd093c198e5f8a92e171942058b2bf00865f37d18bb05c6bffaf", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81d48a0212c1dd093c198e5f8a92e171942058b2bf00865f37d18bb05c6bffaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "create_deck/requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "requirements.txt: `pytest` has no version pin"}, "properties": {"repobilityId": 127529, "scanner": "repobility-supply-chain", "fingerprint": "8eee22a8a7ce6b04d1607f5e879ffb04a8576337582adbff63f29910b331bcec", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8eee22a8a7ce6b04d1607f5e879ffb04a8576337582adbff63f29910b331bcec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "create_deck/requirements.txt"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 127497, "scanner": "repobility-ast-engine", "fingerprint": "d4b3e771ee94fde20aade9868b5bbd7b8eb6cd9f206fb7dcc7580b85f3582e66", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d4b3e771ee94fde20aade9868b5bbd7b8eb6cd9f206fb7dcc7580b85f3582e66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 127496, "scanner": "repobility-ast-engine", "fingerprint": "580522716853fdb70d2ac5cb9dedbc245d5d85ac7e153c9ea47ab926070f2613", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|580522716853fdb70d2ac5cb9dedbc245d5d85ac7e153c9ea47ab926070f2613"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/safety.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 127752, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 127751, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `find_duplicate` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, else=1, for=1, if=3, nested_bonus=3."}, "properties": {"repobilityId": 127598, "scanner": "repobility-threat-engine", "fingerprint": "2f042413db8b2b2c5bd3c15329efd30b936ecc6fd69d77a6ae0eb51c43f92269", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "find_duplicate", "breakdown": {"if": 3, "for": 1, "else": 1, "continue": 1, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|2f042413db8b2b2c5bd3c15329efd30b936ecc6fd69d77a6ae0eb51c43f92269"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/check-duplicate-commit-message.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=1, except=1, if=9."}, "properties": {"repobilityId": 127597, "scanner": "repobility-threat-engine", "fingerprint": "e1fa86b3ecfd787ca58e1c63560477b19d718c93ebb2021723ab60208d5b1eef", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 9, "and": 1, "except": 1}, "complexity": 11, "correlation_key": "fp|e1fa86b3ecfd787ca58e1c63560477b19d718c93ebb2021723ab60208d5b1eef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/check-commit-message.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, if=7, or=2."}, "properties": {"repobilityId": 127596, "scanner": "repobility-threat-engine", "fingerprint": "a29ed25967f085dde0d8655213634a8ca137d1b1e8cef8a8777c7589adbf7dea", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 7, "or": 2, "except": 1}, "complexity": 10, "correlation_key": "fp|a29ed25967f085dde0d8655213634a8ca137d1b1e8cef8a8777c7589adbf7dea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/check-browser-attestation.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 127581, "scanner": "repobility-threat-engine", "fingerprint": "6ea39360ee25d317649b54149390b82053bcb07528a78b5d899e100090e745c0", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\" chars; keep it <= \" + str(SUBJECT_MAX_LEN) + \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6ea39360ee25d317649b54149390b82053bcb07528a78b5d899e100090e745c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/check-commit-message.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 127580, "scanner": "repobility-threat-engine", "fingerprint": "d110bc865cb94de982c68f951636020dd93bf4a6837dae5365897d3d8876c307", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'CAVEMAN MODE ACTIVE \u2014 level: ' + mode + '. Behavior defined by /caveman-'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d110bc865cb94de982c68f951636020dd93bf4a6837dae5365897d3d8876c307"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/caveman/hooks/caveman-activate.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `sql.js` is minor version(s) behind (^1.13.0 -> 1.14.1)"}, "properties": {"repobilityId": 127576, "scanner": "repobility-dependency-currency", "fingerprint": "7b8c331e16bb80074e266bfd5f990708aa7c4d1213d5866eaa2f76d3595292aa", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "sql.js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.14.1", "correlation_key": "fp|7b8c331e16bb80074e266bfd5f990708aa7c4d1213d5866eaa2f76d3595292aa", "current_version": "^1.13.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `pg` is minor version(s) behind (^8.11.3 -> 8.21.0)"}, "properties": {"repobilityId": 127575, "scanner": "repobility-dependency-currency", "fingerprint": "bd21a9df548ff88344a5c6cad1517f9d2f222a6b41ec69144c624f9c0c87560f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "pg", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.21.0", "correlation_key": "fp|bd21a9df548ff88344a5c6cad1517f9d2f222a6b41ec69144c624f9c0c87560f", "current_version": "^8.11.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `multer` is minor version(s) behind (^2.0.1 -> 2.1.1)"}, "properties": {"repobilityId": 127572, "scanner": "repobility-dependency-currency", "fingerprint": "8ae416522d0a1085e2d964254125d97a716738b5015d69304428f9e34b207df8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "multer", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.1.1", "correlation_key": "fp|8ae416522d0a1085e2d964254125d97a716738b5015d69304428f9e34b207df8", "current_version": "^2.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `markdown-it` is minor version(s) behind (^14.1.1 -> 14.2.0)"}, "properties": {"repobilityId": 127569, "scanner": "repobility-dependency-currency", "fingerprint": "c33b684b580edb3098c30674267541b14e28d0f536ac0e6ed45a0a19b4d3dc55", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "markdown-it", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "14.2.0", "correlation_key": "fp|c33b684b580edb3098c30674267541b14e28d0f536ac0e6ed45a0a19b4d3dc55", "current_version": "^14.1.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `mammoth` is minor version(s) behind (^1.8.0 -> 1.12.0)"}, "properties": {"repobilityId": 127568, "scanner": "repobility-dependency-currency", "fingerprint": "ec38cc65b0e2f9e2b48af093322d09e0a0e468123866fc9960e2e3493f1915c2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "mammoth", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.12.0", "correlation_key": "fp|ec38cc65b0e2f9e2b48af093322d09e0a0e468123866fc9960e2e3493f1915c2", "current_version": "^1.8.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `knex` is minor version(s) behind (^3.1.0 -> 3.2.10)"}, "properties": {"repobilityId": 127567, "scanner": "repobility-dependency-currency", "fingerprint": "435e6dfa5bfa04186634d82404aca9a966a60bbb59db24a4b339186c676495ae", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "knex", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.2.10", "correlation_key": "fp|435e6dfa5bfa04186634d82404aca9a966a60bbb59db24a4b339186c676495ae", "current_version": "^3.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `google-auth-library` is minor version(s) behind (^10.6.2 -> 10.7.0)"}, "properties": {"repobilityId": 127565, "scanner": "repobility-dependency-currency", "fingerprint": "f56f3834377cee2b771fa872c8aa85dfa3a41cb9d4148088114871e277719287", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "google-auth-library", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.7.0", "correlation_key": "fp|f56f3834377cee2b771fa872c8aa85dfa3a41cb9d4148088114871e277719287", "current_version": "^10.6.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `find-remove` is minor version(s) behind (^5.0.0 -> 5.1.1)"}, "properties": {"repobilityId": 127563, "scanner": "repobility-dependency-currency", "fingerprint": "55bd87bf713309b774028158917c52948d49a033abf52debbfcd220a3a7e0a4f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "find-remove", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.1.1", "correlation_key": "fp|55bd87bf713309b774028158917c52948d49a033abf52debbfcd220a3a7e0a4f", "current_version": "^5.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `express` is minor version(s) behind (^5.1.0 -> 5.2.1)"}, "properties": {"repobilityId": 127561, "scanner": "repobility-dependency-currency", "fingerprint": "96c04047a7218794b4ba0c9560b7b5af8ff7ba90bb14a167f692a0e367337eb8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "express", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.2.1", "correlation_key": "fp|96c04047a7218794b4ba0c9560b7b5af8ff7ba90bb14a167f692a0e367337eb8", "current_version": "^5.1.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `dotenv` is minor version(s) behind (17.2.3 -> 17.4.2)"}, "properties": {"repobilityId": 127560, "scanner": "repobility-dependency-currency", "fingerprint": "7d0a6edf3bc4266f7204b7de7e254c27bb3062fe732aff34b6d85e61a31f7e6b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dotenv", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "17.4.2", "correlation_key": "fp|7d0a6edf3bc4266f7204b7de7e254c27bb3062fe732aff34b6d85e61a31f7e6b", "current_version": "17.2.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `cheerio` is minor version(s) behind (^1.0.0 -> 1.2.0)"}, "properties": {"repobilityId": 127558, "scanner": "repobility-dependency-currency", "fingerprint": "82547439ccdb74e440eced19a4d12bdca549b22c211a1fbe4cd88192f43aad32", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cheerio", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.2.0", "correlation_key": "fp|82547439ccdb74e440eced19a4d12bdca549b22c211a1fbe4cd88192f43aad32", "current_version": "^1.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `better-sqlite3` is minor version(s) behind (^12.9.0 -> 12.10.0)"}, "properties": {"repobilityId": 127557, "scanner": "repobility-dependency-currency", "fingerprint": "a74df42cb18c4640250b19db84808e570846d8cd29bab05f97c6ad041f78803f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "better-sqlite3", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "12.10.0", "correlation_key": "fp|a74df42cb18c4640250b19db84808e570846d8cd29bab05f97c6ad041f78803f", "current_version": "^12.9.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `axios` is minor version(s) behind (^1.13.5 -> 1.17.0)"}, "properties": {"repobilityId": 127556, "scanner": "repobility-dependency-currency", "fingerprint": "bcbf5f78d1147582c17705da61e03168255bf3266dc373628a0845b7d1d1a2d8", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "axios", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.17.0", "correlation_key": "fp|bcbf5f78d1147582c17705da61e03168255bf3266dc373628a0845b7d1d1a2d8", "current_version": "^1.13.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@notionhq/client` is minor version(s) behind (^5.18.0 -> 5.22.0)"}, "properties": {"repobilityId": 127554, "scanner": "repobility-dependency-currency", "fingerprint": "65e23e6691bbb0e3744b11a43b7a107652df1996d122c3b144874919a4890a10", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@notionhq/client", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.22.0", "correlation_key": "fp|65e23e6691bbb0e3744b11a43b7a107652df1996d122c3b144874919a4890a10", "current_version": "^5.18.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@anthropic-ai/sdk` is minor version(s) behind (^0.100.1 -> 0.101.0)"}, "properties": {"repobilityId": 127553, "scanner": "repobility-dependency-currency", "fingerprint": "5e673292ec12875fcc459a55f2d2289a2298ef0922c5964deba54b0453fa054a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@anthropic-ai/sdk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.101.0", "correlation_key": "fp|5e673292ec12875fcc459a55f2d2289a2298ef0922c5964deba54b0453fa054a", "current_version": "^0.100.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127470, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e7261df7a4c1e54e8b023e159a252cfedaadc18b3bc4bee0d0de272ae377b538", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/data_layer/index.ts", "duplicate_line": 120, "correlation_key": "fp|e7261df7a4c1e54e8b023e159a252cfedaadc18b3bc4bee0d0de272ae377b538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyRouter.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127469, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ad80dc2d9630e4427b17fa1f2d111c7dc9b786dbc64f9314320d3221ff724e76", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/infrastracture/adapters/fileConversion/convertXLSXToHTML.ts", "duplicate_line": 35, "correlation_key": "fp|ad80dc2d9630e4427b17fa1f2d111c7dc9b786dbc64f9314320d3221ff724e76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/parser/xlsx/convertXLSXToHTML.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127468, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a61a4d8b8599f79bb57a39b78025d90d4ad9ec4ffcea8a870cdd9c30e046ea27", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/controllers/ApkgController.ts", "duplicate_line": 36, "correlation_key": "fp|a61a4d8b8599f79bb57a39b78025d90d4ad9ec4ffcea8a870cdd9c30e046ea27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/controllers/ShareController.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127467, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fbbf093f05ff7f2787a45282079a410007ececc7238203de917581f7f6774079", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".claude/hooks/check-browser-attestation.py", "duplicate_line": 12, "correlation_key": "fp|fbbf093f05ff7f2787a45282079a410007ececc7238203de917581f7f6774079"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/safety.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127466, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b6f46d3ea4dc71bde54415f5319ab4e88b393c4306a86575ab642c06ce59a4c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".claude/hooks/check-merge-status.py", "duplicate_line": 7, "correlation_key": "fp|6b6f46d3ea4dc71bde54415f5319ab4e88b393c4306a86575ab642c06ce59a4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/safety.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127465, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69867f9e0018d72d94035abde137de2c35fb3165f1594652e8f6f80a0bbab341", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".claude/hooks/check-browser-attestation.py", "duplicate_line": 12, "correlation_key": "fp|69867f9e0018d72d94035abde137de2c35fb3165f1594652e8f6f80a0bbab341"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-write-secret-scan.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127464, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0bd6d232a4125603e957f59d2e818290c28f1aba0dd9b1726483d6cfe45e6ccd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".claude/hooks/check-merge-status.py", "duplicate_line": 12, "correlation_key": "fp|0bd6d232a4125603e957f59d2e818290c28f1aba0dd9b1726483d6cfe45e6ccd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-write-secret-scan.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127463, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a56f3fae5972334a0f902b365bab9fec8d53400219b683c2a83a12ca8298f09d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".claude/hooks/pre-bash-curl-pipe.py", "duplicate_line": 6, "correlation_key": "fp|a56f3fae5972334a0f902b365bab9fec8d53400219b683c2a83a12ca8298f09d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-write-secret-scan.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127462, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e7bba3fb546a3f15c6fad24814c570bbc9d0c14007e22b3b9f83f2a8fc5861ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".claude/hooks/check-browser-attestation.py", "duplicate_line": 12, "correlation_key": "fp|e7bba3fb546a3f15c6fad24814c570bbc9d0c14007e22b3b9f83f2a8fc5861ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127461, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5ad3d22cca23b432d0c8729f67d751872b675041d5fbfcf6a7446328900ff324", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".claude/hooks/check-browser-attestation.py", "duplicate_line": 12, "correlation_key": "fp|5ad3d22cca23b432d0c8729f67d751872b675041d5fbfcf6a7446328900ff324"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-bash-curl-pipe.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127460, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69c6408bb958e25f9de04c345d130eeb243d21c646d77fe78b2cd5ff090d2467", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".claude/hooks/check-merge-status.py", "duplicate_line": 12, "correlation_key": "fp|69c6408bb958e25f9de04c345d130eeb243d21c646d77fe78b2cd5ff090d2467"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-bash-curl-pipe.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127459, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43e8496357bb46eac85d2566b57c4be7619fec1798f8f229973f31d81f4ad586", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".claude/hooks/check-browser-attestation.py", "duplicate_line": 12, "correlation_key": "fp|43e8496357bb46eac85d2566b57c4be7619fec1798f8f229973f31d81f4ad586"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/check-merge-status.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127458, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc8daf0fe4ca0a7d750a92f16334cdc49442df68b055286da47ea303049271c4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".claude/hooks/check-browser-attestation.py", "duplicate_line": 12, "correlation_key": "fp|bc8daf0fe4ca0a7d750a92f16334cdc49442df68b055286da47ea303049271c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/check-duplicate-commit-message.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127457, "scanner": "repobility-ai-code-hygiene", "fingerprint": "729eae0d49dc48971029c3ed3cb992174d4b2c9bb716219807bb30e3ae8d4ee6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".claude/hooks/check-browser-attestation.py", "duplicate_line": 12, "correlation_key": "fp|729eae0d49dc48971029c3ed3cb992174d4b2c9bb716219807bb30e3ae8d4ee6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/check-commit-message.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC046", "level": "none", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 127657, "scanner": "repobility-threat-engine", "fingerprint": "421c093ac37dfcc53989f926795c89f28e8098a914d8e5f7a865eb8d1653b5ef", "category": "open_redirect", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|421c093ac37dfcc53989f926795c89f28e8098a914d8e5f7a865eb8d1653b5ef"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 127653, "scanner": "repobility-threat-engine", "fingerprint": "b38d596d7399a3b15f7ad7063f16520cd73a85e4f6dea32e165332a9a9eab629", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b38d596d7399a3b15f7ad7063f16520cd73a85e4f6dea32e165332a9a9eab629"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/pages/Chat/CardPreview.tsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 127652, "scanner": "repobility-threat-engine", "fingerprint": "1325665737816709e699331bdd8bda10b78cbde8fe95b05877d30f864b0bd438", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1325665737816709e699331bdd8bda10b78cbde8fe95b05877d30f864b0bd438"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/Skeleton/Skeleton.tsx"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 127650, "scanner": "repobility-threat-engine", "fingerprint": "a890b04c3bbe0a8cb484a80a3d21707e40ebad3b970f8303d18569caa4755181", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a890b04c3bbe0a8cb484a80a3d21707e40ebad3b970f8303d18569caa4755181"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/pages/Chat/AssistantMarkdown.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 127649, "scanner": "repobility-threat-engine", "fingerprint": "85f05cedc861f03c30134086781f18dcf7110b689cad8143584be0a6f485ac8b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|85f05cedc861f03c30134086781f18dcf7110b689cad8143584be0a6f485ac8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/ankify/AnkiConnectClient.ts"}, "region": {"startLine": 230}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 127648, "scanner": "repobility-threat-engine", "fingerprint": "24f97df3fe9e09a03794379a84a05c23e2aecd825fc2148cb1569ab22403044f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|24f97df3fe9e09a03794379a84a05c23e2aecd825fc2148cb1569ab22403044f", "aggregated_count": 3}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 127647, "scanner": "repobility-threat-engine", "fingerprint": "42e1fae20667987fce14dde6658a3317ec8ba7df8da962b269866834e9da95a2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|42e1fae20667987fce14dde6658a3317ec8ba7df8da962b269866834e9da95a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/helpers/getListItems.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 127646, "scanner": "repobility-threat-engine", "fingerprint": "a8c10bcd03950c00fe702cb36b6b5809d748db2ab3c83337fa9ce7c09c53842d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a8c10bcd03950c00fe702cb36b6b5809d748db2ab3c83337fa9ce7c09c53842d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/blocks/lists/BlockToggleList.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 127645, "scanner": "repobility-threat-engine", "fingerprint": "62cb83066ca251535980681fdd4d8530aa4219ecbe50404a3a9ce7465f3c3207", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62cb83066ca251535980681fdd4d8530aa4219ecbe50404a3a9ce7465f3c3207"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/blocks/BlockParagraph.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 127644, "scanner": "repobility-threat-engine", "fingerprint": "7b598fdaf383cfc36bb47487a6288f6c05331e134be3d9cad8f33bfe7c779478", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7b598fdaf383cfc36bb47487a6288f6c05331e134be3d9cad8f33bfe7c779478"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 127643, "scanner": "repobility-threat-engine", "fingerprint": "51296d36ad16f59b67a1bbe6118cc4b2b0bd98c5d2a970f8b691bfc0796fb828", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|22|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/usecases/apkg/PackEditedApkgUseCase.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 127642, "scanner": "repobility-threat-engine", "fingerprint": "8c49925d0e291c190e0b80e14e962f660e621d4ecd8d4c376e7205768311fd73", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|3|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/shared/helpers/getRandomUUID.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 127641, "scanner": "repobility-threat-engine", "fingerprint": "74f15ab08322ade062f7a49136937685e13eacc5c921a22dbf98febea0d20928", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|46|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/ApkgPreviewService/parseCollection.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 127639, "scanner": "repobility-threat-engine", "fingerprint": "3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 127635, "scanner": "repobility-threat-engine", "fingerprint": "976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "aggregated_count": 1}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 127634, "scanner": "repobility-threat-engine", "fingerprint": "6ee0e9c6a9c511f9c9c298ddde9fc8afd6bff1acf49984833fe69a8e6c33c5c5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ee0e9c6a9c511f9c9c298ddde9fc8afd6bff1acf49984833fe69a8e6c33c5c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/UsersService.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 127633, "scanner": "repobility-threat-engine", "fingerprint": "e9840c806fd3be5df2340877e0d2cf46c7bbd07d968dc97e43d29e8520f53925", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e9840c806fd3be5df2340877e0d2cf46c7bbd07d968dc97e43d29e8520f53925"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infrastracture/adapters/fileConversion/preprocessDocxHTML.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 127632, "scanner": "repobility-threat-engine", "fingerprint": "6a4691f46d7f057cb3b8231e1f0ced41d8746724f6f433bf7a4e60f7a94c9d7a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a4691f46d7f057cb3b8231e1f0ced41d8746724f6f433bf7a4e60f7a94c9d7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/data_layer/TokenRepository.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 127631, "scanner": "repobility-threat-engine", "fingerprint": "e039613f6adb350134ca73047894d6e344ffdab5842887dafe1b2b0a3f68b1dc", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(describeGoogleApiKeyProblem(shape)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|12|console.error describegoogleapikeyproblem shape"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/pages/UploadPage/components/UploadForm/hooks/useGooglePicker.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 127630, "scanner": "repobility-threat-engine", "fingerprint": "9a2d33875051d08a2cb20c1ac6d8e5e14309c3e0e60580b52f70c974deb318ad", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.info(`Cleaned up ${count} expired magic token(s)", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/server.ts|25|console.info cleaned up count expired magic token s"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server.ts"}, "region": {"startLine": 255}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 127629, "scanner": "repobility-threat-engine", "fingerprint": "31c5b8c4da17b0b59b797e039a693998661f31d8e0b2c643514edbd01deb48a5", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.warn('[NotionRepository] getNotionToken called with no owner')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|console.warn notionrepository getnotiontoken called with no owner"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/data_layer/NotionRespository.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 127628, "scanner": "repobility-threat-engine", "fingerprint": "ed94cb707d1e2c82f274dd11f822e9cef7f0bb7c64508eb42197f2e454e13daf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ed94cb707d1e2c82f274dd11f822e9cef7f0bb7c64508eb42197f2e454e13daf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/data_layer/GoogleDriveRepository.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 127627, "scanner": "repobility-threat-engine", "fingerprint": "7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "aggregated_count": 3}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 127626, "scanner": "repobility-threat-engine", "fingerprint": "b499521b80809961e3e1c4b31117ab5eb5ab21117201288cef34effbb5bb908f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b499521b80809961e3e1c4b31117ab5eb5ab21117201288cef34effbb5bb908f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/helpers/withRetry.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 127625, "scanner": "repobility-threat-engine", "fingerprint": "895e29ecb516a616287b12f0bf58ec00dd009c601ed1a10b2b22654a85d80a65", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|895e29ecb516a616287b12f0bf58ec00dd009c601ed1a10b2b22654a85d80a65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/data_layer/GoogleDriveRepository.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 127624, "scanner": "repobility-threat-engine", "fingerprint": "da994390f60bcece071bab973e892ffe4ef1b52a17d5b033462637f76d6685fa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|da994390f60bcece071bab973e892ffe4ef1b52a17d5b033462637f76d6685fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/controllers/Upload/UploadController.ts"}, "region": {"startLine": 155}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 127622, "scanner": "repobility-threat-engine", "fingerprint": "43b81e30ecec4542d5b7c1728a77ddf506d2c87684fdce356d7b2b0e14a44049", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|43b81e30ecec4542d5b7c1728a77ddf506d2c87684fdce356d7b2b0e14a44049"}}}, {"ruleId": "MINED019", "level": "none", "message": {"text": "[MINED019] Ssti Jinja From String (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 127618, "scanner": "repobility-threat-engine", "fingerprint": "ae007fa3f4a1b4292a8ecc662d5e3c2423e255a113a9e9ace75bb96894adb8d3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ae007fa3f4a1b4292a8ecc662d5e3c2423e255a113a9e9ace75bb96894adb8d3", "aggregated_count": 2}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 80 more): Same pattern found in 80 additional files. Review if needed."}, "properties": {"repobilityId": 127614, "scanner": "repobility-threat-engine", "fingerprint": "35cafe38d9a95aaedbb1b66b6ee0a7b33c55739d2c19612484d133db2461fbdb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 80 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|35cafe38d9a95aaedbb1b66b6ee0a7b33c55739d2c19612484d133db2461fbdb", "aggregated_count": 80}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 127613, "scanner": "repobility-threat-engine", "fingerprint": "e87998945a6b85cec627639db916e577e0a3ca9ec5fb2cd6f4f4a0dc075a00fd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e87998945a6b85cec627639db916e577e0a3ca9ec5fb2cd6f4f4a0dc075a00fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/digitalocean/prompt.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 127612, "scanner": "repobility-threat-engine", "fingerprint": "e350c01a75344df70e235fdee77ddd5d9df9b7a9bb19e068bff53ff5d9ac0aee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e350c01a75344df70e235fdee77ddd5d9df9b7a9bb19e068bff53ff5d9ac0aee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/digitalocean/migrate.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 127611, "scanner": "repobility-threat-engine", "fingerprint": "1d89da5275821af7faec5e5b1440646188061152b01b6ba49a25aee0d0ebe461", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1d89da5275821af7faec5e5b1440646188061152b01b6ba49a25aee0d0ebe461"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/digitalocean/logger.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "properties": {"repobilityId": 127608, "scanner": "repobility-threat-engine", "fingerprint": "897bdc4844bb4d2e59bb80b170f8d41fb45308fee7e3817a73d32aa296b7c4bd", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|897bdc4844bb4d2e59bb80b170f8d41fb45308fee7e3817a73d32aa296b7c4bd"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 127599, "scanner": "repobility-threat-engine", "fingerprint": "29306b5028b90ab8087937c717cb745fd7e07ab4ccb4b2237f19cccb49788ca3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 7, "or": 2, "except": 1}, "aggregated": true, "complexity": 10, "correlation_key": "fp|29306b5028b90ab8087937c717cb745fd7e07ab4ccb4b2237f19cccb49788ca3", "aggregated_count": 9}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 127595, "scanner": "repobility-threat-engine", "fingerprint": "9ad9bf0c265cd321c150a08a072a8e145739f2cd1982875a84041789b62e4bac", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9ad9bf0c265cd321c150a08a072a8e145739f2cd1982875a84041789b62e4bac"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 127591, "scanner": "repobility-threat-engine", "fingerprint": "9a38e81725d4cd7d3858c2dca40b30fff35130f2f83e2579933f8cbdf2284cba", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9a38e81725d4cd7d3858c2dca40b30fff35130f2f83e2579933f8cbdf2284cba"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 127585, "scanner": "repobility-threat-engine", "fingerprint": "55853ef45b03bf09cbc44c6f24922b8041151d72d31f01248b6f89c0cb3102d5", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|55853ef45b03bf09cbc44c6f24922b8041151d72d31f01248b6f89c0cb3102d5"}}}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `nodemailer` is patch version(s) behind (^8.0.1 -> 8.0.10)"}, "properties": {"repobilityId": 127573, "scanner": "repobility-dependency-currency", "fingerprint": "4ead4940ff5d2b6cce861c9bbde5747786de76f1d4c9748609359236653e6f2d", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "nodemailer", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.0.10", "correlation_key": "fp|4ead4940ff5d2b6cce861c9bbde5747786de76f1d4c9748609359236653e6f2d", "current_version": "^8.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `metascraper-logo-favicon` is patch version(s) behind (^5.50.1 -> 5.50.3)"}, "properties": {"repobilityId": 127571, "scanner": "repobility-dependency-currency", "fingerprint": "7bb3dc2286181e84b0059ba9f1271d5dcc3dfe17b035746a2c8107c9319e0a14", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "metascraper-logo-favicon", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.50.3", "correlation_key": "fp|7bb3dc2286181e84b0059ba9f1271d5dcc3dfe17b035746a2c8107c9319e0a14", "current_version": "^5.50.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `metascraper` is patch version(s) behind (^5.50.1 -> 5.50.3)"}, "properties": {"repobilityId": 127570, "scanner": "repobility-dependency-currency", "fingerprint": "c8d76c1d464aac215570518e626a9e9604cf6a485e21b066a682f455b78b14a2", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "metascraper", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.50.3", "correlation_key": "fp|c8d76c1d464aac215570518e626a9e9604cf6a485e21b066a682f455b78b14a2", "current_version": "^5.50.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `jsonwebtoken` is patch version(s) behind (^9.0.0 -> 9.0.3)"}, "properties": {"repobilityId": 127566, "scanner": "repobility-dependency-currency", "fingerprint": "9c93b277184c8cf48ccbed51968b6872d3b1f3731c26fafe8fa5dbc630473af3", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jsonwebtoken", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.0.3", "correlation_key": "fp|9c93b277184c8cf48ccbed51968b6872d3b1f3731c26fafe8fa5dbc630473af3", "current_version": "^9.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `get-notion-object-title` is patch version(s) behind (^0.2.0 -> 0.2.9)"}, "properties": {"repobilityId": 127564, "scanner": "repobility-dependency-currency", "fingerprint": "e4cc5fbabd76e11ce06a2fd1ef7ed2ee2e6746c00efa115baa160d992143565f", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "get-notion-object-title", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.2.9", "correlation_key": "fp|e4cc5fbabd76e11ce06a2fd1ef7ed2ee2e6746c00efa115baa160d992143565f", "current_version": "^0.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `fflate` is patch version(s) behind (^0.8.0 -> 0.8.3)"}, "properties": {"repobilityId": 127562, "scanner": "repobility-dependency-currency", "fingerprint": "8600646fa448d0bba50e00cefcbb1739ec2ccb7d1e4d0f0fc5d1d5b028ad9420", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "fflate", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.8.3", "correlation_key": "fp|8600646fa448d0bba50e00cefcbb1739ec2ccb7d1e4d0f0fc5d1d5b028ad9420", "current_version": "^0.8.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `cookie-parser` is patch version(s) behind (^1.4.6 -> 1.4.7)"}, "properties": {"repobilityId": 127559, "scanner": "repobility-dependency-currency", "fingerprint": "c6ee93cc1f6dcaa2fb68efdb1294c89a1c9ffca38c4b35ccc863bb7ddc92233e", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "cookie-parser", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.4.7", "correlation_key": "fp|c6ee93cc1f6dcaa2fb68efdb1294c89a1c9ffca38c4b35ccc863bb7ddc92233e", "current_version": "^1.4.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@sendgrid/mail` is patch version(s) behind (^8.1.3 -> 8.1.6)"}, "properties": {"repobilityId": 127555, "scanner": "repobility-dependency-currency", "fingerprint": "34c0ac0a07583adcce7ad0c6ed5d1d413668a6f13c3f96ec953a0299e4fb168b", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@sendgrid/mail", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.1.6", "correlation_key": "fp|34c0ac0a07583adcce7ad0c6ed5d1d413668a6f13c3f96ec953a0299e4fb168b", "current_version": "^8.1.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@2anki/csv-to-apkg` is patch version(s) behind (^1.4.4 -> 1.4.9)"}, "properties": {"repobilityId": 127552, "scanner": "repobility-dependency-currency", "fingerprint": "a95be04d7282b79a121f0357917045844cb9c15a12577ec763498389bfd9392a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@2anki/csv-to-apkg", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.4.9", "correlation_key": "fp|a95be04d7282b79a121f0357917045844cb9c15a12577ec763498389bfd9392a", "current_version": "^1.4.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 127750, "scanner": "repobility-journey-contract", "fingerprint": "707e7e79598981d654531339cdf579a8df7a034a3995e04260afbd67fd395351", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|177|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/pages/LoginPage/components/LoginForm/index.tsx"}, "region": {"startLine": 177}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 127749, "scanner": "repobility-journey-contract", "fingerprint": "315f528338afbce11ed2d296fea9e4d3145489dabf6762103cd343ba6faafc97", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|186|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/forms/RegisterForm.tsx"}, "region": {"startLine": 186}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/users/r/:id."}, "properties": {"repobilityId": 127715, "scanner": "repobility-access-control", "fingerprint": "c86f844b5dabf74e4a0a3c0d95169db72c37659f6dccefc169d834e75265e897", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/users/r/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|src/routes/userrouter.ts|371|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/UserRouter.ts"}, "region": {"startLine": 371}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/notion/render-block/:id."}, "properties": {"repobilityId": 127714, "scanner": "repobility-access-control", "fingerprint": "ab8742e964c28f04818e5440843012d68f5de371f604fa0df99309f698586f1d", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/notion/render-block/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|src/routes/notionrouter.ts|576|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/NotionRouter.ts"}, "region": {"startLine": 576}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /download/:id/:filename."}, "properties": {"repobilityId": 127713, "scanner": "repobility-access-control", "fingerprint": "ffc126d9b5fb143f0f65bb95df6c2d4f967db6d799a54cb07ec6899d8b70ecfb", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/download/:id/:filename", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|161|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/DownloadRouter.ts"}, "region": {"startLine": 161}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /download/:id/bulk."}, "properties": {"repobilityId": 127712, "scanner": "repobility-access-control", "fingerprint": "3cdef4ca4b9536929607e3b200eb8a2b9f1ed481f72168786eb650493b72a663", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/download/:id/bulk", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|122|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/DownloadRouter.ts"}, "region": {"startLine": 122}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /download/:id."}, "properties": {"repobilityId": 127711, "scanner": "repobility-access-control", "fingerprint": "79d3310fd956b1805e22c9353fbef2098f2f32092a32380c508f099f52229610", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/download/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|89|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/DownloadRouter.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /api/ankify/clients/:id."}, "properties": {"repobilityId": 127710, "scanner": "repobility-access-control", "fingerprint": "5888c752d41f6bae5bfad067fa13e67a50bce87f9ae0b1218c3bf82574784d8d", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/ankify/clients/:id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|src/routes/ankifyrouter.ts|476|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifyRouter.ts"}, "region": {"startLine": 476}}}]}, {"ruleId": "GHSA-8x6r-g9mw-2r78", "level": "error", "message": {"text": "react-router: GHSA-8x6r-g9mw-2r78"}, "properties": {"repobilityId": 127708, "scanner": "osv-scanner", "fingerprint": "76ba179b952fb2c0e982f633b6a32060cc8a31c7e4008a6cb0254fb4dc21d11c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42342"], "package": "react-router", "rule_id": "GHSA-8x6r-g9mw-2r78", "scanner": "osv-scanner", "correlation_key": "vuln|react-router|CVE-2026-42342|web/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 127706, "scanner": "osv-scanner", "fingerprint": "6ca70052253669eadfa2a75e25767cedf0252d4d6308fd002b3a32d78599ed64", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|web/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 127705, "scanner": "osv-scanner", "fingerprint": "459b4d0923bc7cdfbcf41d54d479556f3619f17550eb1ae0cf3549c494b268c5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|web/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fv7c-fp4j-7gwp", "level": "error", "message": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "properties": {"repobilityId": 127704, "scanner": "osv-scanner", "fingerprint": "39d192884a1dfc47a0962215a4049d1840d69e1feb29f50909c89fc15047fda8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44728"], "package": "@babel/plugin-transform-modules-systemjs", "rule_id": "GHSA-fv7c-fp4j-7gwp", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-44728|web/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5pgg-2g8v-p4x9", "level": "error", "message": {"text": "xlsx: GHSA-5pgg-2g8v-p4x9"}, "properties": {"repobilityId": 127703, "scanner": "osv-scanner", "fingerprint": "83125a0ba0272940b97d82480ba5c36a2e1960730504a33eb58622a75b2e854b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-22363"], "package": "xlsx", "rule_id": "GHSA-5pgg-2g8v-p4x9", "scanner": "osv-scanner", "correlation_key": "vuln|xlsx|CVE-2024-22363|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4r6h-8v6p-xvw6", "level": "error", "message": {"text": "xlsx: GHSA-4r6h-8v6p-xvw6"}, "properties": {"repobilityId": 127702, "scanner": "osv-scanner", "fingerprint": "430e00a2ba931a71eec619d803f083e90c818e6b503b6e0f1c7fa57ec92f87a5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-30533"], "package": "xlsx", "rule_id": "GHSA-4r6h-8v6p-xvw6", "scanner": "osv-scanner", "correlation_key": "vuln|xlsx|CVE-2023-30533|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jvwf-75h9-cwgg", "level": "error", "message": {"text": "protobufjs: GHSA-jvwf-75h9-cwgg"}, "properties": {"repobilityId": 127699, "scanner": "osv-scanner", "fingerprint": "b4f545775b6e58b23e03fb12f84beaf84ea34fd3563c6adaf1077d5fa008d283", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44290"], "package": "protobufjs", "rule_id": "GHSA-jvwf-75h9-cwgg", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44290|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-75px-5xx7-5xc7", "level": "error", "message": {"text": "protobufjs: GHSA-75px-5xx7-5xc7"}, "properties": {"repobilityId": 127696, "scanner": "osv-scanner", "fingerprint": "d392bcd6ab67ac26916d5f86aefffca7e238815dcc3d8ee00a98f67511d8f3cf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44291"], "package": "protobufjs", "rule_id": "GHSA-75px-5xx7-5xc7", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44291|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-685m-2w69-288q", "level": "error", "message": {"text": "protobufjs: GHSA-685m-2w69-288q"}, "properties": {"repobilityId": 127695, "scanner": "osv-scanner", "fingerprint": "3677c9fc441fe6ba6b5404f9f6e073f93b9e53ad987ce7ec1aca472ffe800200", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44289"], "package": "protobufjs", "rule_id": "GHSA-685m-2w69-288q", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44289|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-66ff-xgx4-vchm", "level": "error", "message": {"text": "protobufjs: GHSA-66ff-xgx4-vchm"}, "properties": {"repobilityId": 127694, "scanner": "osv-scanner", "fingerprint": "ad79854e3d9cc2e17279d1526514df2935b3e5fcb4a62c34fa9dca9bfc7e444b", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44293"], "package": "protobufjs", "rule_id": "GHSA-66ff-xgx4-vchm", "scanner": "osv-scanner", "correlation_key": "vuln|protobufjs|CVE-2026-44293|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash-es: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 127690, "scanner": "osv-scanner", "fingerprint": "01498d7ea9aef0d6a550e7cd86ec4127d89b0518382f7ad5d22570091f535b91", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash-es", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash-es|CVE-2026-4800|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-x6wf-f3px-wcqx", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-x6wf-f3px-wcqx"}, "properties": {"repobilityId": 127680, "scanner": "osv-scanner", "fingerprint": "c0f892c139bfd4e3348f362e745baf38b56e6953910dde5f826a86b96dc17653", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41675"], "package": "@xmldom/xmldom", "rule_id": "GHSA-x6wf-f3px-wcqx", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41675|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j759-j44w-7fr8", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-j759-j44w-7fr8"}, "properties": {"repobilityId": 127679, "scanner": "osv-scanner", "fingerprint": "adbf58756e7176987a86c9d633b6754fa7e991a96c1763554be2ed2b350b3ff6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41672"], "package": "@xmldom/xmldom", "rule_id": "GHSA-j759-j44w-7fr8", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41672|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f6ww-3ggp-fr8h", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-f6ww-3ggp-fr8h"}, "properties": {"repobilityId": 127678, "scanner": "osv-scanner", "fingerprint": "a8991a924dfa5b75da05017304e4acd96f5d5b83ea10960fc2ad6db74c9a17c8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41674"], "package": "@xmldom/xmldom", "rule_id": "GHSA-f6ww-3ggp-fr8h", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41674|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2v35-w6hq-6mfw", "level": "error", "message": {"text": "@xmldom/xmldom: GHSA-2v35-w6hq-6mfw"}, "properties": {"repobilityId": 127677, "scanner": "osv-scanner", "fingerprint": "611a284af499c2f75b689db4a9cf087c74833ffac8b9963a5d0d14fbde1eedee", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41673"], "package": "@xmldom/xmldom", "rule_id": "GHSA-2v35-w6hq-6mfw", "scanner": "osv-scanner", "correlation_key": "vuln|xmldom/xmldom|CVE-2026-41673|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 127651, "scanner": "repobility-threat-engine", "fingerprint": "f7baecdc33e1f0e0ba74c2f08870920ac72d33dc75613fb82f019f49049dbec7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/api/users/logout', (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f7baecdc33e1f0e0ba74c2f08870920ac72d33dc75613fb82f019f49049dbec7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/mock-server/server.js"}, "region": {"startLine": 188}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 127638, "scanner": "repobility-threat-engine", "fingerprint": "83d1133cdfeaa1c53a084fb1360f4845bfbfbc48c656b1b15bc0819dfa12fb92", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "reduce((acc, curr) => `${acc}<br>${curr}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|83d1133cdfeaa1c53a084fb1360f4845bfbfbc48c656b1b15bc0819dfa12fb92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/helpers/getPlainText.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 127637, "scanner": "repobility-threat-engine", "fingerprint": "f2f5985436e4572dc47be61bcc6a0245480bbaeb59d4268e56e6d4619304e578", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((cell) => `<td>${renderCell(cell, handler)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f2f5985436e4572dc47be61bcc6a0245480bbaeb59d4268e56e6d4619304e578"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/blocks/lists/BlockTable.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 127636, "scanner": "repobility-threat-engine", "fingerprint": "bda3826cb01ba45b6769e142b0e43c40065be67e3c93c5ce05885d7e6c813c42", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((opt) => `<li>${opt}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bda3826cb01ba45b6769e142b0e43c40065be67e3c93c5ce05885d7e6c813c42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infrastracture/adapters/fileConversion/preprocessDocxHTML.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 127623, "scanner": "repobility-threat-engine", "fingerprint": "f6ed7e5031d0bcc8fb28dae5abfbbc82c10576715c0c51526fe071fb87bdeb19", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(req: Request", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|103|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/controllers/OpsErrorsController.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 127621, "scanner": "repobility-threat-engine", "fingerprint": "6c7d324bf58a9ee6b9ae6e7ea99c25fd3bc775c545d6f6689e2f0ce0bb22f143", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "controller.create(req, res)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6c7d324bf58a9ee6b9ae6e7ea99c25fd3bc775c545d6f6689e2f0ce0bb22f143"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/MindmapRouter.ts"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 127620, "scanner": "repobility-threat-engine", "fingerprint": "f199f9bb0b83ab43931486df4acf0379ae38d4c6a31a3161bc0bdd92b00a3669", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "socket.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f199f9bb0b83ab43931486df4acf0379ae38d4c6a31a3161bc0bdd92b00a3669"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifySessionProxyRouter.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 127619, "scanner": "repobility-threat-engine", "fingerprint": "e8149d2a096bd9c9c3fc566ffdc3743cd290681df6b1bd5aeea58596e77a0f4d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "res.destroy(err);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e8149d2a096bd9c9c3fc566ffdc3743cd290681df6b1bd5aeea58596e77a0f4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/controllers/DownloadController.ts"}, "region": {"startLine": 225}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 127607, "scanner": "repobility-threat-engine", "fingerprint": "5d0ff8f83ca59971149b299de77545d457447c454c9223dd1b378b9f8f0baeba", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(\n  p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d0ff8f83ca59971149b299de77545d457447c454c9223dd1b378b9f8f0baeba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/controllers/ErrorEventController.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 127606, "scanner": "repobility-threat-engine", "fingerprint": "add0a84c87c6a08e023a8d4e06abd7045e32f3ae765cbc724ea1184024812f19", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|add0a84c87c6a08e023a8d4e06abd7045e32f3ae765cbc724ea1184024812f19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/digitalocean/config.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 127605, "scanner": "repobility-threat-engine", "fingerprint": "b804b517f1ef3d5eccf9119687bda5f763d40b4fe4bde017d31c97c6e92997a4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url (s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b804b517f1ef3d5eccf9119687bda5f763d40b4fe4bde017d31c97c6e92997a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/deploy-blue-green.sh"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 127604, "scanner": "repobility-threat-engine", "fingerprint": "4d301be365b75d9e618fa5fde5586b80d9da5554c7a844930bb6c462443e10a4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4d301be365b75d9e618fa5fde5586b80d9da5554c7a844930bb6c462443e10a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/usecases/chat/ChatDeckUseCase.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 127603, "scanner": "repobility-threat-engine", "fingerprint": "0d02c8c473f648173fc5882289158bc4d68cb23548832252d79214b071c2d00d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0d02c8c473f648173fc5882289158bc4d68cb23548832252d79214b071c2d00d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "create_deck/helpers/get_model_id.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 127602, "scanner": "repobility-threat-engine", "fingerprint": "bab07dd9c7a2f8ce1e70e82907601b3ecc955c7bb7f260971ca842132ad3305e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bab07dd9c7a2f8ce1e70e82907601b3ecc955c7bb7f260971ca842132ad3305e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "create_deck/create_io_deck.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 127600, "scanner": "repobility-threat-engine", "fingerprint": "1bc579556676e16d17c8f64cb1a0a6aec036c505b40c9d334756bf26fb9b4e00", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1bc579556676e16d17c8f64cb1a0a6aec036c505b40c9d334756bf26fb9b4e00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-bash-curl-pipe.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 127594, "scanner": "repobility-threat-engine", "fingerprint": "9570c9f24c3c6cdd3281f9d1c1dabd73a9227577a198fc0230d013dc76bddd95", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(template", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9570c9f24c3c6cdd3281f9d1c1dabd73a9227577a198fc0230d013dc76bddd95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/ApkgPreviewService/renderTemplate.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 127593, "scanner": "repobility-threat-engine", "fingerprint": "dbdf408a706caf89642373e9905675ba304482342d86890b0aae6f83db88cef9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(req", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dbdf408a706caf89642373e9905675ba304482342d86890b0aae6f83db88cef9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/AnkifySessionProxyRouter.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 127592, "scanner": "repobility-threat-engine", "fingerprint": "082ccede7cf979d4d513b8ad7deccd7e3c1c45c728612abdd180c6bcb5eed0d1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(prompt", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|082ccede7cf979d4d513b8ad7deccd7e3c1c45c728612abdd180c6bcb5eed0d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/caveman/hooks/caveman-mode-tracker.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 127551, "scanner": "repobility-supply-chain", "fingerprint": "5484b018e948f6475b55a9907c3f03f19a1e09b6a25804ac447105804fa16769", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5484b018e948f6475b55a9907c3f03f19a1e09b6a25804ac447105804fa16769"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/server.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 127550, "scanner": "repobility-supply-chain", "fingerprint": "e62d7ca6f0370a262dae646cf2cb18d964a9fcd1bbcc6a03f985cfca422b79b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e62d7ca6f0370a262dae646cf2cb18d964a9fcd1bbcc6a03f985cfca422b79b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/server.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 127549, "scanner": "repobility-supply-chain", "fingerprint": "707bb3234430c30dd6546d582b9d6197e7d5c6fc912fa44353e0cf77cdede628", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|707bb3234430c30dd6546d582b9d6197e7d5c6fc912fa44353e0cf77cdede628"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/web.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 127548, "scanner": "repobility-supply-chain", "fingerprint": "8b84ef6f532b0ecb796b9bfc54cd5acece49b583578821a6a9a3828084bb095a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8b84ef6f532b0ecb796b9bfc54cd5acece49b583578821a6a9a3828084bb095a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/web.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 127547, "scanner": "repobility-supply-chain", "fingerprint": "7eec807e3a7f205c39d0f1e063e3505251cf230feff22543f4eff49a4f0dbadd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7eec807e3a7f205c39d0f1e063e3505251cf230feff22543f4eff49a4f0dbadd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/web.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 127546, "scanner": "repobility-supply-chain", "fingerprint": "e89a2a61f6e1226de2bd319cc8adb7db146d5700b3b94572feabcd184f7c17a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e89a2a61f6e1226de2bd319cc8adb7db146d5700b3b94572feabcd184f7c17a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/web.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `anthropics/claude-code-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 127545, "scanner": "repobility-supply-chain", "fingerprint": "4b6ee0aae6da4a53e262db45ab5605fa522c8e1899a5f365d90ee13d83d9fa25", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b6ee0aae6da4a53e262db45ab5605fa522c8e1899a5f365d90ee13d83d9fa25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 127544, "scanner": "repobility-supply-chain", "fingerprint": "227012a306a92c0897250beb505cbcbb76a5e11a7b8f4d99a17f4d50b13438c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|227012a306a92c0897250beb505cbcbb76a5e11a7b8f4d99a17f4d50b13438c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 127543, "scanner": "repobility-supply-chain", "fingerprint": "231f5d336d5efd7fd47718606dabcb6746302c7da582549e8e942bfd99ac5159", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|231f5d336d5efd7fd47718606dabcb6746302c7da582549e8e942bfd99ac5159"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/weekly-retro.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `appleboy/ssh-action` pinned to mutable ref `@v1.2.5`"}, "properties": {"repobilityId": 127542, "scanner": "repobility-supply-chain", "fingerprint": "ae4cc66be2095de0989a227c92e78a552df128ce6d622be4bdc13bee113114b9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae4cc66be2095de0989a227c92e78a552df128ce6d622be4bdc13bee113114b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy.2anki.net.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 127541, "scanner": "repobility-supply-chain", "fingerprint": "52796ade947c088c4b7c4e2aeb3e6ef35fe46c08db4e18dd2dcb18f06a7b58a4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|52796ade947c088c4b7c4e2aeb3e6ef35fe46c08db4e18dd2dcb18f06a7b58a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 127540, "scanner": "repobility-supply-chain", "fingerprint": "f14e82a28974135ab54154b36705c0f5c1872d351afb5b32f85b63fc5debbe54", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f14e82a28974135ab54154b36705c0f5c1872d351afb5b32f85b63fc5debbe54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 127539, "scanner": "repobility-supply-chain", "fingerprint": "cd26200b9f736dc0467eb1956a49208a0a668234839d9ef555a95dc5ebef6645", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd26200b9f736dc0467eb1956a49208a0a668234839d9ef555a95dc5ebef6645"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 127538, "scanner": "repobility-supply-chain", "fingerprint": "f4fcf65554a0e27e30a3f1be54dac183f4a052dbd8f2b49fec757e461041d88c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f4fcf65554a0e27e30a3f1be54dac183f4a052dbd8f2b49fec757e461041d88c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/playwright.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `anthropics/claude-code-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 127536, "scanner": "repobility-supply-chain", "fingerprint": "be75998a83bc3602520f1a6e8b86468ad904755ca59c6e1b41e4513cb999e094", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be75998a83bc3602520f1a6e8b86468ad904755ca59c6e1b41e4513cb999e094"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code-review.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 127535, "scanner": "repobility-supply-chain", "fingerprint": "21d2647bfba311bca399726d84fe5de9859fff930f0c5894133c1c220b39dcb7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21d2647bfba311bca399726d84fe5de9859fff930f0c5894133c1c220b39dcb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code-review.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 127534, "scanner": "repobility-supply-chain", "fingerprint": "fc2bf82b07079b886f0e3585238247e68792b213a36aaaa3139455d932eb3648", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc2bf82b07079b886f0e3585238247e68792b213a36aaaa3139455d932eb3648"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/create_deck.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 127533, "scanner": "repobility-supply-chain", "fingerprint": "5fed1a90482a900ade6a8454a582d3c7d922bf9b80f4a6c17ddc55394f703ff7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5fed1a90482a900ade6a8454a582d3c7d922bf9b80f4a6c17ddc55394f703ff7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/create_deck.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 127532, "scanner": "repobility-supply-chain", "fingerprint": "ade6e9b703ec4dcac8ca10229c1a59e505b5e180facf92e206e8a3b0dfa81ebc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ade6e9b703ec4dcac8ca10229c1a59e505b5e180facf92e206e8a3b0dfa81ebc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/create_deck.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 127531, "scanner": "repobility-supply-chain", "fingerprint": "f16a99c0bafccf77d8cdfef2b41377923a3e976f19f851eebbb3a706eb546fe9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f16a99c0bafccf77d8cdfef2b41377923a3e976f19f851eebbb3a706eb546fe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/create_deck.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "package.json dep `xlsx` pulled from URL/Git"}, "properties": {"repobilityId": 127528, "scanner": "repobility-supply-chain", "fingerprint": "a8f1c76992562017411b826eec26e3941fa1049ca1421d657472682b265ce789", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8f1c76992562017411b826eec26e3941fa1049ca1421d657472682b265ce789"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PATCH /api/chat/conversations/:id has no auth"}, "properties": {"repobilityId": 127527, "scanner": "repobility-route-auth", "fingerprint": "c838a5adf50eb8573fc78f1ca9cbb0860549154a030534f5bf92e446e60d66cd", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|c838a5adf50eb8573fc78f1ca9cbb0860549154a030534f5bf92e446e60d66cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/ChatRouter.ts"}, "region": {"startLine": 430}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/chat/tag-cards has no auth"}, "properties": {"repobilityId": 127526, "scanner": "repobility-route-auth", "fingerprint": "14e2587a7243a4c1883abb4ceb03758900212f022669385c98a0cd2d9952bf84", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|14e2587a7243a4c1883abb4ceb03758900212f022669385c98a0cd2d9952bf84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/ChatRouter.ts"}, "region": {"startLine": 312}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/chat/deck has no auth"}, "properties": {"repobilityId": 127525, "scanner": "repobility-route-auth", "fingerprint": "cd535d85ac7d565cb66dc8803321afc0188f160a89768658b476038c03320c5b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|cd535d85ac7d565cb66dc8803321afc0188f160a89768658b476038c03320c5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/ChatRouter.ts"}, "region": {"startLine": 267}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/chat/message has no auth"}, "properties": {"repobilityId": 127524, "scanner": "repobility-route-auth", "fingerprint": "b6ff81dd4b8562721094b7d5d9d4fce3218574de07b5da77fd198f55e77ff412", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b6ff81dd4b8562721094b7d5d9d4fce3218574de07b5da77fd198f55e77ff412"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/ChatRouter.ts"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/chat/consent has no auth"}, "properties": {"repobilityId": 127523, "scanner": "repobility-route-auth", "fingerprint": "ab96a40675a50f1215166f8c7f114f16068462eff7cdfa7fc3048ff8e0b75e22", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ab96a40675a50f1215166f8c7f114f16068462eff7cdfa7fc3048ff8e0b75e22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/ChatRouter.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /api/rules/:id has no auth"}, "properties": {"repobilityId": 127522, "scanner": "repobility-route-auth", "fingerprint": "936587094199df901d6db0bddc853692c193417e7dd165c4eb8a39e7e7ac5ad1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|936587094199df901d6db0bddc853692c193417e7dd165c4eb8a39e7e7ac5ad1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/ParserRulesRouter.ts"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/rules/create/:id has no auth"}, "properties": {"repobilityId": 127521, "scanner": "repobility-route-auth", "fingerprint": "675c898cdee10f6f59b1da363711c74e8513eac5737efddc2ea42016996db7c1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|675c898cdee10f6f59b1da363711c74e8513eac5737efddc2ea42016996db7c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/ParserRulesRouter.ts"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/contact-us has no auth"}, "properties": {"repobilityId": 127520, "scanner": "repobility-route-auth", "fingerprint": "62fe0c40f90793e81e3530eab257cff904a21128f7a34b6707db30c4ae02d44a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|62fe0c40f90793e81e3530eab257cff904a21128f7a34b6707db30c4ae02d44a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/DefaultRouter.ts"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/surveys/post-login has no auth"}, "properties": {"repobilityId": 127519, "scanner": "repobility-route-auth", "fingerprint": "8da7393fbb717e4fa8dee3f9e972a3971ca0c3e0f2aefc335f151d0981f6274b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8da7393fbb717e4fa8dee3f9e972a3971ca0c3e0f2aefc335f151d0981f6274b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/UserSurveyRouter.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/feedback/interview has no auth"}, "properties": {"repobilityId": 127518, "scanner": "repobility-route-auth", "fingerprint": "6e5e715135cef983fdeda40f364cec9e55d43cde21a6ad9cff0c16452270320f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6e5e715135cef983fdeda40f364cec9e55d43cde21a6ad9cff0c16452270320f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/FeedbackRouter.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /api/upload/google_drive/mine/:id has no auth"}, "properties": {"repobilityId": 127517, "scanner": "repobility-route-auth", "fingerprint": "637e7329676b1acfdc83643020c15f01e45023a13d166534d5542b88788f5365", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|637e7329676b1acfdc83643020c15f01e45023a13d166534d5542b88788f5365"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/UploadRouter.ts"}, "region": {"startLine": 767}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /api/upload/dropbox/mine/:id has no auth"}, "properties": {"repobilityId": 127516, "scanner": "repobility-route-auth", "fingerprint": "b6381faa0ff39bfcdbcd46674d0ba6889aa601e7b811c92ffc748f4a34158b44", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b6381faa0ff39bfcdbcd46674d0ba6889aa601e7b811c92ffc748f4a34158b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/UploadRouter.ts"}, "region": {"startLine": 666}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /api/upload/mine/:key has no auth"}, "properties": {"repobilityId": 127515, "scanner": "repobility-route-auth", "fingerprint": "5a8af884b8242c0f5448b09f7ce62415fe5afdfa63dd1851a7510d166475b5de", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5a8af884b8242c0f5448b09f7ce62415fe5afdfa63dd1851a7510d166475b5de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/UploadRouter.ts"}, "region": {"startLine": 572}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/upload/jobs/:jobId/restart has no auth"}, "properties": {"repobilityId": 127514, "scanner": "repobility-route-auth", "fingerprint": "11a80cdd11bbd51c23bad639b8498025ee248977fb57ca7dca28cc4e799c5801", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|11a80cdd11bbd51c23bad639b8498025ee248977fb57ca7dca28cc4e799c5801"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/UploadRouter.ts"}, "region": {"startLine": 531}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /api/upload/jobs/:id has no auth"}, "properties": {"repobilityId": 127513, "scanner": "repobility-route-auth", "fingerprint": "9ab0fc13d6d65b4ec45f274c23598e496ef07467e1d24eb08d7bb46ee0033375", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9ab0fc13d6d65b4ec45f274c23598e496ef07467e1d24eb08d7bb46ee0033375"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/UploadRouter.ts"}, "region": {"startLine": 454}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/upload/google_drive has no auth"}, "properties": {"repobilityId": 127512, "scanner": "repobility-route-auth", "fingerprint": "523682a233be40211e77a009fff7c01affa752b0c805ccd5b8fa662407910905", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|523682a233be40211e77a009fff7c01affa752b0c805ccd5b8fa662407910905"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/UploadRouter.ts"}, "region": {"startLine": 293}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/upload/dropbox has no auth"}, "properties": {"repobilityId": 127511, "scanner": "repobility-route-auth", "fingerprint": "79c4a28db0dd6ed0d291b6d090777bdc57d0c9569c4bdd24eeb1d9b32cd49813", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|79c4a28db0dd6ed0d291b6d090777bdc57d0c9569c4bdd24eeb1d9b32cd49813"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/UploadRouter.ts"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/upload/retry-with-credential has no auth"}, "properties": {"repobilityId": 127510, "scanner": "repobility-route-auth", "fingerprint": "5484100af7f57e75ab6929a6b6a79f6f7a15e7f80cc35d7dab62b2bd22cc4505", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5484100af7f57e75ab6929a6b6a79f6f7a15e7f80cc35d7dab62b2bd22cc4505"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/UploadRouter.ts"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/upload/save has no auth"}, "properties": {"repobilityId": 127509, "scanner": "repobility-route-auth", "fingerprint": "ef1f2e0b39336d771a2ab646b2d50878293a6cfb30ef42dc87f1419d326a5829", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ef1f2e0b39336d771a2ab646b2d50878293a6cfb30ef42dc87f1419d326a5829"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/UploadRouter.ts"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/upload/file has no auth"}, "properties": {"repobilityId": 127508, "scanner": "repobility-route-auth", "fingerprint": "4fc347b01614c7da19be808eb9e8c9cba1cccd55009b9e8c68386a62a69d5f26", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4fc347b01614c7da19be808eb9e8c9cba1cccd55009b9e8c68386a62a69d5f26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/UploadRouter.ts"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/favorite/remove has no auth"}, "properties": {"repobilityId": 127507, "scanner": "repobility-route-auth", "fingerprint": "f3e1d1ea3ad50a4939ef5a04272a12d67e0cdd4a22a4c469987e000e6cbd7a7f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f3e1d1ea3ad50a4939ef5a04272a12d67e0cdd4a22a4c469987e000e6cbd7a7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/FavoriteRouter.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/favorite/create has no auth"}, "properties": {"repobilityId": 127506, "scanner": "repobility-route-auth", "fingerprint": "ab72c597a8ae760684b1da9944fa91bb37cbda4d3ef5def0bb16681c51553fbc", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ab72c597a8ae760684b1da9944fa91bb37cbda4d3ef5def0bb16681c51553fbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/FavoriteRouter.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /api/ops/errors/:messageHash/resolve has no auth"}, "properties": {"repobilityId": 127505, "scanner": "repobility-route-auth", "fingerprint": "89704ef94098d1f1273529fbc79fecba3dc10177f32087aa53d1029c5290a4f4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|89704ef94098d1f1273529fbc79fecba3dc10177f32087aa53d1029c5290a4f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/OpsErrorsRouter.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/ops/errors/:messageHash/resolve has no auth"}, "properties": {"repobilityId": 127504, "scanner": "repobility-route-auth", "fingerprint": "07f7448e5de01cf60bd1208304cd42056aa5c9e86c33d2e73962294c295df254", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|07f7448e5de01cf60bd1208304cd42056aa5c9e86c33d2e73962294c295df254"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/OpsErrorsRouter.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /webhook has no auth"}, "properties": {"repobilityId": 127503, "scanner": "repobility-route-auth", "fingerprint": "ddb19750c741e1b5e2696cb54bce12fe5159b91a998680ed373afabdf9b2435f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ddb19750c741e1b5e2696cb54bce12fe5159b91a998680ed373afabdf9b2435f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/routes/WebhookRouter.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI PATCH helpers.write_apkg.FastPackage has no auth"}, "properties": {"repobilityId": 127502, "scanner": "repobility-route-auth", "fingerprint": "7113fb5ef6e29649efcd539f20d229f252eae3fb19c97fd7a6bfa9e7076afe6e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|7113fb5ef6e29649efcd539f20d229f252eae3fb19c97fd7a6bfa9e7076afe6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "create_deck/tests/test_write_apkg.py"}, "region": {"startLine": 147}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI PATCH helpers.write_apkg.FastPackage has no auth"}, "properties": {"repobilityId": 127501, "scanner": "repobility-route-auth", "fingerprint": "6d22d95121ebe1df090abf300eee18eff477c9ac80ae4c7f60167d17ce616cf8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|6d22d95121ebe1df090abf300eee18eff477c9ac80ae4c7f60167d17ce616cf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "create_deck/tests/test_write_apkg.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI PATCH helpers.write_apkg.FastPackage has no auth"}, "properties": {"repobilityId": 127500, "scanner": "repobility-route-auth", "fingerprint": "17244e7a8225e3951cf3a9dbb6e72895fa37baa336f33dea71c481046889c1b2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|17244e7a8225e3951cf3a9dbb6e72895fa37baa336f33dea71c481046889c1b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "create_deck/tests/test_write_apkg.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI PATCH helpers.write_apkg.FastPackage has no auth"}, "properties": {"repobilityId": 127499, "scanner": "repobility-route-auth", "fingerprint": "87aaacdec369cec688f189c1a4dbe3e0a0679297389f1312f3b0789da2725ff8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|87aaacdec369cec688f189c1a4dbe3e0a0679297389f1312f3b0789da2725ff8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "create_deck/tests/test_write_apkg.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI PATCH helpers.write_apkg.FastPackage has no auth"}, "properties": {"repobilityId": 127498, "scanner": "repobility-route-auth", "fingerprint": "81f932a1b98c4e577776af4267635c4158ca406151eb308df9c0c2f923c6f271", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|81f932a1b98c4e577776af4267635c4158ca406151eb308df9c0c2f923c6f271"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "create_deck/tests/test_write_apkg.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127495, "scanner": "repobility-ast-engine", "fingerprint": "eb17bc8bcb0175ec1f2dfbc2e9e27a563a95415c63f4fc3904762abc55f4c9ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb17bc8bcb0175ec1f2dfbc2e9e27a563a95415c63f4fc3904762abc55f4c9ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertIn` used but never assigned in __init__"}, "properties": {"repobilityId": 127494, "scanner": "repobility-ast-engine", "fingerprint": "341a064b74bb95fbfb0e2c16acfbdaf948ea60f7202a3779975954b789ae1a16", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|341a064b74bb95fbfb0e2c16acfbdaf948ea60f7202a3779975954b789ae1a16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertIn` used but never assigned in __init__"}, "properties": {"repobilityId": 127493, "scanner": "repobility-ast-engine", "fingerprint": "45fcbc5cb25acdf72e5118c6cc44982bc0e69a77cbd56b04926b8a220ca3b666", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|45fcbc5cb25acdf72e5118c6cc44982bc0e69a77cbd56b04926b8a220ca3b666"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127492, "scanner": "repobility-ast-engine", "fingerprint": "4db9f92ff7520efaa19fd3a840775298d7dc5ec748c25dfcab4175a6c3f4a86a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4db9f92ff7520efaa19fd3a840775298d7dc5ec748c25dfcab4175a6c3f4a86a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127491, "scanner": "repobility-ast-engine", "fingerprint": "3f9fd26fb8857c0099c06ffa864f94389bed3a11b21ee3b928c95639c2dc299d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3f9fd26fb8857c0099c06ffa864f94389bed3a11b21ee3b928c95639c2dc299d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertIn` used but never assigned in __init__"}, "properties": {"repobilityId": 127490, "scanner": "repobility-ast-engine", "fingerprint": "25db9a0b3b657017e4b554192f11210c14185936b39f722aee5e59921b594e51", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|25db9a0b3b657017e4b554192f11210c14185936b39f722aee5e59921b594e51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127489, "scanner": "repobility-ast-engine", "fingerprint": "16fe3c2ad5e9dd3be2c4ac056dc9dc3065e601a27b97c66c63572cf2db6c8c61", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|16fe3c2ad5e9dd3be2c4ac056dc9dc3065e601a27b97c66c63572cf2db6c8c61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127488, "scanner": "repobility-ast-engine", "fingerprint": "f67d518d3c90f7036bd4e2776984e62889ae37e16e302d0b0fd76fde67048f26", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f67d518d3c90f7036bd4e2776984e62889ae37e16e302d0b0fd76fde67048f26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127487, "scanner": "repobility-ast-engine", "fingerprint": "326f3d00a6ac05ecfa565d64635e3b7a8c90f3680380a6b4acb51848f5dd6547", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|326f3d00a6ac05ecfa565d64635e3b7a8c90f3680380a6b4acb51848f5dd6547"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertIn` used but never assigned in __init__"}, "properties": {"repobilityId": 127486, "scanner": "repobility-ast-engine", "fingerprint": "55a884b5d9684e140f3e4b69cc793ef3c9b5cbcff0d0c2c866306e5e9edb6b77", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|55a884b5d9684e140f3e4b69cc793ef3c9b5cbcff0d0c2c866306e5e9edb6b77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertIn` used but never assigned in __init__"}, "properties": {"repobilityId": 127485, "scanner": "repobility-ast-engine", "fingerprint": "1ab1777faccc444dedef56c844d438bd42db8bc35ac6fb0b2fd3a41dc54a1c7a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1ab1777faccc444dedef56c844d438bd42db8bc35ac6fb0b2fd3a41dc54a1c7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertIn` used but never assigned in __init__"}, "properties": {"repobilityId": 127484, "scanner": "repobility-ast-engine", "fingerprint": "4b0a935c2213b2d6788f75fdd5707689fa13121d70b75408c4f86e2e47bbfb5a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4b0a935c2213b2d6788f75fdd5707689fa13121d70b75408c4f86e2e47bbfb5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127483, "scanner": "repobility-ast-engine", "fingerprint": "fea95d89042df860fe9319debce8a9a73fc13110ac15500b92a9af41c77c8116", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fea95d89042df860fe9319debce8a9a73fc13110ac15500b92a9af41c77c8116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127482, "scanner": "repobility-ast-engine", "fingerprint": "1aa08310b8a3785366aef59a51fffbdb601aa99a193d0583d119b8285cb0f79d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1aa08310b8a3785366aef59a51fffbdb601aa99a193d0583d119b8285cb0f79d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127481, "scanner": "repobility-ast-engine", "fingerprint": "065811db1cdbf6a29666a104b3d4d3fc3673ef889bcc388c4100f133642a1647", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|065811db1cdbf6a29666a104b3d4d3fc3673ef889bcc388c4100f133642a1647"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127480, "scanner": "repobility-ast-engine", "fingerprint": "5cdf8da0ce5f2edf6f4743e922cb5b24dcf61a186065936d8e156df99271f97a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5cdf8da0ce5f2edf6f4743e922cb5b24dcf61a186065936d8e156df99271f97a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127479, "scanner": "repobility-ast-engine", "fingerprint": "c8ec9af05ec4df538bbd470c26fc0824caca39b37caed983dcc36f483957dd59", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c8ec9af05ec4df538bbd470c26fc0824caca39b37caed983dcc36f483957dd59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127478, "scanner": "repobility-ast-engine", "fingerprint": "3f1c74ff043373b24c61a1ba17c482345ff864c40c8ea779e058fb3e381b91c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3f1c74ff043373b24c61a1ba17c482345ff864c40c8ea779e058fb3e381b91c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127477, "scanner": "repobility-ast-engine", "fingerprint": "9ef1abe9f1f16ce58844c683a18cb63248938f6b71f687fdd74a2aaec0c78ab0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9ef1abe9f1f16ce58844c683a18cb63248938f6b71f687fdd74a2aaec0c78ab0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127476, "scanner": "repobility-ast-engine", "fingerprint": "a1670cb3646cd6f400384acc797c4768f015dbed0ac9d0272b19bcf2a4564479", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a1670cb3646cd6f400384acc797c4768f015dbed0ac9d0272b19bcf2a4564479"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127475, "scanner": "repobility-ast-engine", "fingerprint": "aba2ac677cd231fda72b4b3dc5f28dff2e21a805c07710ac2cd98597594926f9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aba2ac677cd231fda72b4b3dc5f28dff2e21a805c07710ac2cd98597594926f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127474, "scanner": "repobility-ast-engine", "fingerprint": "158bbf78dc2ca061b6aa75381818153f906fb641a55c577d4acc23305f2b5e86", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|158bbf78dc2ca061b6aa75381818153f906fb641a55c577d4acc23305f2b5e86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127473, "scanner": "repobility-ast-engine", "fingerprint": "c6af25cc4b5031d2616d56003fc3ab2e55b8dd32566661555787e96f50289dda", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c6af25cc4b5031d2616d56003fc3ab2e55b8dd32566661555787e96f50289dda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127472, "scanner": "repobility-ast-engine", "fingerprint": "e87edb657274f123647a3d3101947a6f10faa54dba7419fe167b7193f1b47619", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e87edb657274f123647a3d3101947a6f10faa54dba7419fe167b7193f1b47619"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.assertEqual` used but never assigned in __init__"}, "properties": {"repobilityId": 127471, "scanner": "repobility-ast-engine", "fingerprint": "00720839203005e8d1df240a3713ffa563c5809bc505679a192adf506a91b6ad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|00720839203005e8d1df240a3713ffa563c5809bc505679a192adf506a91b6ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/hooks/pre-push-typecheck.test.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 127733, "scanner": "repobility-journey-contract", "fingerprint": "dc8c0049fcd7eea00416ab81f8050840565dd8e25506bfde9982cc1fb8b3426f", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|23|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/pages/AccountClaimPage/AccountClaimPage.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 127675, "scanner": "gitleaks", "fingerprint": "f9bf62db8e36fa3b409eba7e34a60e62dcf26aeb6d47fe36e37da21c221664f5", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key: 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|42|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/ops/BusinessMetricsService.ts"}, "region": {"startLine": 428}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 127674, "scanner": "gitleaks", "fingerprint": "50a1fbc1241bd0553e1dd56d1942e48fd6d6277f08e31500bedbf84e11df1179", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "process.env.APPLE_PRIVATE_KEY_B64 = REDACTED;", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|48|token redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/AuthenticationService.test.ts"}, "region": {"startLine": 486}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 127673, "scanner": "gitleaks", "fingerprint": "72c4450a89c68e9db89e0ac1bc0a7da2405418441986702cef9e82da3edeadc6", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token-hash=REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|src/templates/readme.html|67|token-hash redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/templates/README.html"}, "region": {"startLine": 672}}}]}, {"ruleId": "aws-access-token", "level": "error", "message": {"text": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."}, "properties": {"repobilityId": 127672, "scanner": "gitleaks", "fingerprint": "1ee189c0ae331105ebb2dfa857bfd00e33bf09552f481e44a8c748f4e8596ea3", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "aws-access-token", "scanner": "gitleaks", "detector": "aws-access-token", "correlation_key": "secret|token|28|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["aws-access-token"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["1ee189c0ae331105ebb2dfa857bfd00e33bf09552f481e44a8c748f4e8596ea3", "2ab42febcb2bac4461dc2e17bcd48c3637a07c11153720501ff6b965e6f35c30"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/_mock/payloads/ListBlockChildrenResponse/e673858e-5371-4ddf-84c6-b04a3bbd5c34.json"}, "region": {"startLine": 281}}}]}, {"ruleId": "aws-access-token", "level": "error", "message": {"text": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."}, "properties": {"repobilityId": 127671, "scanner": "gitleaks", "fingerprint": "ef1bca462ca1b778cae670bf1ea9d9ffc56ebae188a3fec3ca2c96d8bf2ba92c", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "aws-access-token", "scanner": "gitleaks", "detector": "aws-access-token", "correlation_key": "secret|token|20|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["aws-access-token"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["59d65833dee0ff5fe867b2dbb7ee47b4aebffff818a9621c6c49beb4203d3a87", "ef1bca462ca1b778cae670bf1ea9d9ffc56ebae188a3fec3ca2c96d8bf2ba92c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/_mock/payloads/ListBlockChildrenResponse/e673858e-5371-4ddf-84c6-b04a3bbd5c34.json"}, "region": {"startLine": 206}}}]}, {"ruleId": "aws-access-token", "level": "error", "message": {"text": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."}, "properties": {"repobilityId": 127670, "scanner": "gitleaks", "fingerprint": "0cb4969600279cf6146b23a4e0132faa4232579042770523f7be93460930a1de", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "aws-access-token", "scanner": "gitleaks", "detector": "aws-access-token", "correlation_key": "secret|token|14|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["aws-access-token"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["0cb4969600279cf6146b23a4e0132faa4232579042770523f7be93460930a1de", "95bea1ed93b595ee980c919a1de9f4a26f850ad80525faac5d03b4de5eb91709"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/_mock/payloads/ListBlockChildrenResponse/bf4ae913-40b5-4f7f-9400-2e7b2b6ee937.json"}, "region": {"startLine": 149}}}]}, {"ruleId": "aws-access-token", "level": "error", "message": {"text": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."}, "properties": {"repobilityId": 127669, "scanner": "gitleaks", "fingerprint": "88b114b04acd2cab102323496a2c97eb73712acd51c372777a28bdc4b0ee1377", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "aws-access-token", "scanner": "gitleaks", "detector": "aws-access-token", "correlation_key": "secret|token|26|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/_mock/payloads/ListBlockChildrenResponse/9f96d8fb-5b10-4b65-8655-15d3b0ba4f07.json"}, "region": {"startLine": 269}}}]}, {"ruleId": "aws-access-token", "level": "error", "message": {"text": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."}, "properties": {"repobilityId": 127668, "scanner": "gitleaks", "fingerprint": "a384c0bdad2c588eb5c7a9f4bb6aa1e92453f686ccd79e15c3a2468c6423a89a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "aws-access-token", "scanner": "gitleaks", "detector": "aws-access-token", "correlation_key": "secret|token|17|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/_mock/payloads/ListBlockChildrenResponse/9f96d8fb-5b10-4b65-8655-15d3b0ba4f07.json"}, "region": {"startLine": 178}}}]}, {"ruleId": "aws-access-token", "level": "error", "message": {"text": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."}, "properties": {"repobilityId": 127667, "scanner": "gitleaks", "fingerprint": "412bdccdcaf26556ec50c220d6907669588177055def2c24148e78610878897c", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "aws-access-token", "scanner": "gitleaks", "detector": "aws-access-token", "correlation_key": "secret|token|13|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/_mock/payloads/ListBlockChildrenResponse/aa5430cd-8332-4037-b7e0-6cb1807a804f.json"}, "region": {"startLine": 140}}}]}, {"ruleId": "aws-access-token", "level": "error", "message": {"text": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."}, "properties": {"repobilityId": 127666, "scanner": "gitleaks", "fingerprint": "8864fa1a1c12152741d3f3eeb45e17d4c7560b0ba19691f5a468f364926eff9e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 5 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "aws-access-token", "scanner": "gitleaks", "detector": "aws-access-token", "correlation_key": "secret|token|9|redacted", "duplicate_count": 5, "duplicate_rule_ids": ["aws-access-token"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["2f5405fa88c370c1fcce483d45be09ee483f90dfd085ed68196c1865f205036f", "783ebfdbe5f418d30dd0b0e77c0bdb02e3e6beb9ecdee5c0d6a46f0decba6696", "8864fa1a1c12152741d3f3eeb45e17d4c7560b0ba19691f5a468f364926eff9e", "9909fa0e30882b286d33424aee36aefd80c8964f7009d8fea64cd67afbb58f60", "b7ed39335a75c532ddbb84575b9dac5fb6a2b7ace1773c9ac25f58e2b7064db1", "c5ae78f614ed3a6eb4a8663c74028183d12321e71404b6585f0142eaabfbb354"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/_mock/payloads/ListBlockChildrenResponse/7c24b0b0-3cbd-444e-95e7-348893c00f9c.json"}, "region": {"startLine": 94}}}]}, {"ruleId": "aws-access-token", "level": "error", "message": {"text": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."}, "properties": {"repobilityId": 127665, "scanner": "gitleaks", "fingerprint": "a05c03e4f9baf515c0bef7eb300fecd49b49e35360348ebf71c8c6808ecdc516", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 3 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "aws-access-token", "scanner": "gitleaks", "detector": "aws-access-token", "correlation_key": "secret|token|16|redacted", "duplicate_count": 3, "duplicate_rule_ids": ["aws-access-token"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["44ddf86768a1cfb4fb9aabb86e50c6b988f0d72b943f4a3cb8140202e09220bb", "96bbe9c5fbf6d01b08d2491a9a82f3c37ad0df1833e0492d6bfa6be95ad388a1", "a05c03e4f9baf515c0bef7eb300fecd49b49e35360348ebf71c8c6808ecdc516", "a87e48ec9cb5361e40f08ff8319f658e0e341321b2ad78571ff2ba326638cd99"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/_mock/payloads/ListBlockChildrenResponse/8d316348-8a7e-481a-8a54-b621c1d8e16f.json"}, "region": {"startLine": 161}}}]}, {"ruleId": "aws-access-token", "level": "error", "message": {"text": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."}, "properties": {"repobilityId": 127664, "scanner": "gitleaks", "fingerprint": "608cd429e4cecef311c93e9979a44a1b57673dc2d982fa31741e7e0b50ef1dee", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 12 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "aws-access-token", "scanner": "gitleaks", "detector": "aws-access-token", "correlation_key": "secret|token|2|redacted", "duplicate_count": 12, "duplicate_rule_ids": ["aws-access-token"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["07cea6f42babe338c9905b7ef7f5ab48f31bf58c7a9d2457f32195b2b33bf1f3", "25cb0d2d22ebadff58b5255d262f96c7ce7eed58b012dc3154afc56450cfddbb", "35d6afdbb03149c6586424ef9e1dc3434cedb87461460d64288e12513f685404", "45cd833348b704a9fbab28d249f9c328efd595aab831ff075af516fe79336641", "54b2c861a058e6bce1ffd871a700001db41ba1d1771a4f49041a5e08673ca7d4", "608cd429e4cecef311c93e9979a44a1b57673dc2d982fa31741e7e0b50ef1dee", "7456e01b5e1b5bf09ea4b67e262aa8b2313cba8e265ec64ee91a214570565f98", "832d17887c962a1415283baf1e99f9edbbf651da6e67300f240b4d1ec10799ce", "c6488ada6638f0e2a1a824a174d19bc1b46ea97415b87853b37bac69d5184ebb", "cc829534290d5b269c6f4f65d782831b09a67118dabad0081fc009de06088d00", "d08f2103f9c38bfbdcf4dedf7e6ff2f0b61865e9880e390ddc50ebaa8119cf47", "d706f8d203ddb03940cc4e90b27d6f6c5b6cb67e3cb60950aa1f68c2ea7f0c62"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/_mock/payloads/ListBlockChildrenResponse/3a3591d9-ece2-47e3-8653-8cde6665ba6e.json"}, "region": {"startLine": 29}}}]}, {"ruleId": "aws-access-token", "level": "error", "message": {"text": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."}, "properties": {"repobilityId": 127663, "scanner": "gitleaks", "fingerprint": "2ac4c9f66b8df0af2e51521b7c534f32a10e687f7c688beac73cb7b375a50c46", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "aws-access-token", "scanner": "gitleaks", "detector": "aws-access-token", "correlation_key": "secret|token|8|redacted", "duplicate_count": 2, "duplicate_rule_ids": ["aws-access-token"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["2ac4c9f66b8df0af2e51521b7c534f32a10e687f7c688beac73cb7b375a50c46", "e6d56e638b09d5779e466155f65775949c0bb520f58b7620f84b7bd43687683a", "f8edd0fa522e8671effdbdd7f3e37c8fa0a90e0cbc16c4a6243129d2b6c1b379"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/_mock/payloads/ListBlockChildrenResponse/4de52a2c-c4a3-4a33-98e3-1402c290712e.json"}, "region": {"startLine": 90}}}]}, {"ruleId": "aws-access-token", "level": "error", "message": {"text": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."}, "properties": {"repobilityId": 127662, "scanner": "gitleaks", "fingerprint": "e868a6cb6dd3626af645a871bce704cea5c3a0f31d23929febeba721975cf245", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "aws-access-token", "scanner": "gitleaks", "detector": "aws-access-token", "correlation_key": "secret|token|5|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["aws-access-token"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["4352fbbe1d8d58651dfe825330c59a55b746f2049ec5dc160d40c493010fc4ca", "e868a6cb6dd3626af645a871bce704cea5c3a0f31d23929febeba721975cf245"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/_mock/payloads/ListBlockChildrenResponse/282720db-142b-4606-b230-bb75d1be1a4b.json"}, "region": {"startLine": 54}}}]}, {"ruleId": "aws-access-token", "level": "error", "message": {"text": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."}, "properties": {"repobilityId": 127661, "scanner": "gitleaks", "fingerprint": "23a693522657cd9820a12cce2915064e711dc835bd21ad695d8db2c20b384e40", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 12 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED", "rule_id": "aws-access-token", "scanner": "gitleaks", "detector": "aws-access-token", "correlation_key": "secret|token|7|redacted", "duplicate_count": 12, "duplicate_rule_ids": ["aws-access-token"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["0d5e8424daf8f70cbf9de99c48a10aef57f3d58dee28abb163101eefe6d724f2", "11eead4426d26c1f97b682f8c3a220c8539ee5c65cf2834469d56545b305df75", "18e09c720e39e0f405886cc238a6ca5252bb9a4725d26aafebd37d3a8cf12b74", "23a693522657cd9820a12cce2915064e711dc835bd21ad695d8db2c20b384e40", "4f326cb058eabc96580a1e69556490da9790357abcaac589800c0cf674e8826f", "8ab5ed8959b5c9a8fbea829bac39641f2b556f51e17455107540bf871ecfc15a", "8eb3d6a0872b570e1c07de8555d9e34b623b828e6983a22c7e0792e124cc41da", "90cbe097e517fe99e368ff4c02f9a8cedd3c3a6ed044309ed899d74522064361", "aeee041b36d6599bc5c977a1385c76697990cca254e1e52aa7f0cdbaac01f162", "b92c80a44d0ca8272bbd339855dd0ad5c9f27a17deb038c300b6da3782443c4e", "b9e2b6bb1a062a5891afe428c667cec4cecd52414d20deaf0fee8e3af030927d", "cc777cc6a2ae4ebfd059567e053d644c2f7901839e5ba5faa0bd2571f1ae5242"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/NotionService/_mock/payloads/ListBlockChildrenResponse/05a5b1e6-eef3-483b-b8da-b16b84fd50d1.json"}, "region": {"startLine": 72}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 127660, "scanner": "gitleaks", "fingerprint": "a12143944b1f51e9335fda1e9b73692eabb060bbce2ea6dc3a7021e5dfd95636", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "TOKEN = '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|token redacted", "duplicate_count": 1, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["a12143944b1f51e9335fda1e9b73692eabb060bbce2ea6dc3a7021e5dfd95636", "b789a0bb245d904ab5562ba4d643bb4624f7b5acb5fa5c499f225d926e284095"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/controllers/ResumeCheckoutController.test.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 127659, "scanner": "gitleaks", "fingerprint": "a907ff41b16ebedece42da6ae01c9a38daa7119d463d0febc627bf931254e66e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key: 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|9|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/controllers/DownloadController.test.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 127658, "scanner": "gitleaks", "fingerprint": "e745cd0fbf9d9716c04ed8f1208482ba98dac798d9e3dc5f0d67c3296aae582b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key: 'REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|7|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/controllers/DownloadController.test.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 127617, "scanner": "repobility-threat-engine", "fingerprint": "222c14b04efe80a830720d1faf6fcb03f56b64d644c8b2fa2106aca42585572a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|222c14b04efe80a830720d1faf6fcb03f56b64d644c8b2fa2106aca42585572a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/data_layer/ConversationsRepository.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 127616, "scanner": "repobility-threat-engine", "fingerprint": "aa98b69ac7c697b1d6bf2a6ccf9b35e00c82f44b22cfdb106d02aca6bbe89466", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa98b69ac7c697b1d6bf2a6ccf9b35e00c82f44b22cfdb106d02aca6bbe89466"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/controllers/TemplatesController.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 127615, "scanner": "repobility-threat-engine", "fingerprint": "411c7cfa04973f616dfea95b3bee607f3af79840e44fa227007ab96e42d78402", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|411c7cfa04973f616dfea95b3bee607f3af79840e44fa227007ab96e42d78402"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/controllers/ConversationsController.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 127610, "scanner": "repobility-threat-engine", "fingerprint": "7e923df4256c0a05a585dd5032651f8feb6fa96926655c97bfe687ecef323eb2", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://aa:focaccia@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|src/knexconfig.ts|1|postgresql://aa:focaccia"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/KnexConfig.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 127609, "scanner": "repobility-threat-engine", "fingerprint": "64784b9e3167aceab133c2101cdd6cba695e320c36fb7a50a2533a6b06a459f1", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://[USER]:[PASSWORD]@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|10|postgresql:// user : password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/digitalocean/config.ts"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CLAUDE_CODE_OAUTH_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 127537, "scanner": "repobility-supply-chain", "fingerprint": "29c4ae7a48d0fe60617a6662aac27c674560e13356fa6da62c38a914e0e890a9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|29c4ae7a48d0fe60617a6662aac27c674560e13356fa6da62c38a914e0e890a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code-review.yml"}, "region": {"startLine": 36}}}]}]}]}