{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB012", "name": "Service worker is present without a web app manifest", "shortDescription": {"text": "Service worker is present without a web app manifest"}, "fullDescription": {"text": "Add a valid manifest.json or site.webmanifest and reference it from the document head. Include name, icons, start_url, display, and theme colors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /au"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 15.6% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 15.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `adminer` image uses the latest tag", "shortDescription": {"text": "Compose service `adminer` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Combine update and install in the same RUN instruction and clean package indexes in that layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC086", "name": "[SEC086] JS: bidirectional Unicode (Trojan Source): Bidirectional Unicode override chars in source \u2014 Trojan Source attac", "shortDescription": {"text": "[SEC086] JS: bidirectional Unicode (Trojan Source): Bidirectional Unicode override chars in source \u2014 Trojan Source attack (CVE-2021-42574). Ported from eslint-plugin-security detect-bidi-characters (Apache-2.0)."}, "fullDescription": {"text": "Remove the bidi chars or encode them explicitly. Use `cargo geiger`-style CI lint for new commits."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 22 more): Same pattern found in 22 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED027] React State Array Mutation (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED065] Cors Wildcard (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED015", "name": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection.", "shortDescription": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 40 more): Same pattern found in 40 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 62 more): Same pattern found in 62 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 62 more): Same pattern found in 62 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 8 more): Same pattern found in 8 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 215 more): Same pattern found in 215 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 215 more): Same pattern found in 215 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 24 more): Same pattern found in 24 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `mcr.microsoft.com/playwright:v1.40.0-jammy` not pinned by digest: `FROM mcr.microsoft.com/pl", "shortDescription": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/playwright:v1.40.0-jammy` not pinned by digest: `FROM mcr.microsoft.com/playwright:v1.40.0-jammy` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so "}, "fullDescription": {"text": "Replace with: `FROM mcr.microsoft.com/playwright:v1.40.0-jammy@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /chat/completions has no auth: Express route POST /chat/completions declared without an auth mid", "shortDescription": {"text": "[MINED113] Express POST /chat/completions has no auth: Express route POST /chat/completions declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 b"}, "fullDescription": {"text": "Add an auth middleware: app.post('/chat/completions', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED031", "name": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.", "shortDescription": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded dir", "shortDescription": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED104", "name": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local pr", "shortDescription": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "fullDescription": {"text": "Use the least-privilege mode the file actually needs (e.g. 640 for configs, 750 for executables). For directories that genuinely need shared write access, use a group with chmod g+w and chown the right group."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED123", "name": "[MINED123] Trojan Source bidi character (LRE) in source: Line 183 contains a Unicode bidirectional override character (U", "shortDescription": {"text": "[MINED123] Trojan Source bidi character (LRE) in source: Line 183 contains a Unicode bidirectional override character (U+202A LRE). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see diff"}, "fullDescription": {"text": "Audit the line manually. If the character is not intentional (it almost never is in code), remove it. Configure your editor / pre-commit hook to reject bidi controls in source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, whic", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NPM_TOKEN }` lets a PR from any fork exfiltrate the secret (modify"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED120", "name": "[MINED120] package.json `scripts.postinstall` runs network/exec on install: `scripts.postinstall: node -e \"const{execSyn", "shortDescription": {"text": "[MINED120] package.json `scripts.postinstall` runs network/exec on install: `scripts.postinstall: node -e \"const{execSync}=require('child_process');try{execSync('agent-browser --version',{stdio:'ignore'});}catch{consol` runs during `npm ins"}, "fullDescription": {"text": "Move the logic to an explicit build step (npm run build), or remove the hook. Run with `--ignore-scripts` in CI to audit what depends on these hooks."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/899"}, "properties": {"repository": "ruvnet/ruflo", "repoUrl": "https://github.com/ruvnet/ruflo", "branch": "main"}, "results": [{"ruleId": "WEB012", "level": "warning", "message": {"text": "Service worker is present without a web app manifest"}, "properties": {"repobilityId": 83915, "scanner": "repobility-web-presence", "fingerprint": "fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A service worker was discovered but no common web manifest file was found.", "evidence": {"rule_id": "WEB012", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/Manifest"], "correlation_key": "fp|fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manifest.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 83914, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 83913, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 83908, "scanner": "repobility-journey-contract", "fingerprint": "e12a2342c40d734edf57d0ac6a3291dfb2e7cdc40acc4defc6b8319115b46cca", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/users", "correlation_key": "fp|e12a2342c40d734edf57d0ac6a3291dfb2e7cdc40acc4defc6b8319115b46cca", "backend_endpoint_count": 32}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/testing/src/helpers/setup-teardown.ts"}, "region": {"startLine": 439}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /autopilot/detail/:token."}, "properties": {"repobilityId": 83907, "scanner": "repobility-access-control", "fingerprint": "f416823c15cd9781683fa47533011e0d4948772aff5c8693d2bc8546a6a3cc41", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/autopilot/detail/:token", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|1729|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/mcp-bridge/index.js"}, "region": {"startLine": 1729}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /autopilot/detail/:token."}, "properties": {"repobilityId": 83906, "scanner": "repobility-access-control", "fingerprint": "627fa627e83adcdbc3fba5e5eb79e8b4b67a52f4e1fed67446068f4291ce53ae", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/autopilot/detail/:token", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|1524|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/mcp-bridge/index.js"}, "region": {"startLine": 1524}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 15.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 83905, "scanner": "repobility-access-control", "fingerprint": "3ccce9b789a10720b139eef273beb7d6913b271fd63d5817079b6db7606c5248", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 32, "correlation_key": "fp|3ccce9b789a10720b139eef273beb7d6913b271fd63d5817079b6db7606c5248", "auth_visible_percent": 15.6}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 83904, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `adminer` image uses the latest tag"}, "properties": {"repobilityId": 83901, "scanner": "repobility-docker", "fingerprint": "b7bacc9c61b922e76056db6c7aebaa2960f8c710fd90f2d91bc8a4e55f9b66a8", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "adminer:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b7bacc9c61b922e76056db6c7aebaa2960f8c710fd90f2d91bc8a4e55f9b66a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/plugins/examples/ruvector/docker-compose.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 83900, "scanner": "repobility-docker", "fingerprint": "18ad705b9571b78296ad46aa4456271fac8bbc412143868f0845e57c55ff85b7", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|18ad705b9571b78296ad46aa4456271fac8bbc412143868f0845e57c55ff85b7", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/plugins/examples/ruvector/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 83869, "scanner": "repobility-docker", "fingerprint": "2c21f887b6e9ab6d8413fac9859bd8f3f90f96c990e5849dd1e80ca987d17acf", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mongodb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|2c21f887b6e9ab6d8413fac9859bd8f3f90f96c990e5849dd1e80ca987d17acf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/docker-compose.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 83867, "scanner": "repobility-docker", "fingerprint": "d945a9c2a41fc923409c864b52441739ea052b7d58fa4a02660bcac0b2bebf85", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/playwright:v1.40.0-jammy", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d945a9c2a41fc923409c864b52441739ea052b7d58fa4a02660bcac0b2bebf85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/docker/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 83866, "scanner": "repobility-docker", "fingerprint": "bfaa6761462fb751d3c72d384d6fdc7619df8c12e0e62c91a6d7af806dc57ca9", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 13 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 13, "correlation_key": "fp|bfaa6761462fb751d3c72d384d6fdc7619df8c12e0e62c91a6d7af806dc57ca9", "dependency_install_line": 19}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/docker/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 83864, "scanner": "repobility-docker", "fingerprint": "86c18de24e74993ef2aaaa8c3cad1eaaea257b352f0528d538e35c74f0425795", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:20-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|86c18de24e74993ef2aaaa8c3cad1eaaea257b352f0528d538e35c74f0425795"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 83861, "scanner": "repobility-docker", "fingerprint": "432213207dfc309f1b457b69e8c55af507ec641deb0436873aae8a2a5323fe8b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "local_db_${INCLUDE_DB}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|432213207dfc309f1b457b69e8c55af507ec641deb0436873aae8a2a5323fe8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/Dockerfile"}, "region": {"startLine": 79}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 83857, "scanner": "repobility-docker", "fingerprint": "bf3f4b45053ef0712dec7fff9290fc7e56c9b6dd11fe24b9ce7909d52124805e", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bf3f4b45053ef0712dec7fff9290fc7e56c9b6dd11fe24b9ce7909d52124805e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/Dockerfile"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 83856, "scanner": "repobility-docker", "fingerprint": "e411968a51e81138669a25d8d084b204de0fea09bbffb3239ee3cc814eeb8e7b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/typescript-node:1-22-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e411968a51e81138669a25d8d084b204de0fea09bbffb3239ee3cc814eeb8e7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 83854, "scanner": "repobility-docker", "fingerprint": "a4bcf97865dc4f4cbe1d599d059b2cb38300bc03d32e5a85c73d3d45c0de83c5", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:1.27-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a4bcf97865dc4f4cbe1d599d059b2cb38300bc03d32e5a85c73d3d45c0de83c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/nginx/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 83853, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 83852, "scanner": "repobility-docker", "fingerprint": "c5824ddecf8364a1b6bb99012ecb6c93be5cd62678c589bc997d47ccbc3b2b97", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/huggingface/chat-ui-db:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c5824ddecf8364a1b6bb99012ecb6c93be5cd62678c589bc997d47ccbc3b2b97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/chat-ui/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 83821, "scanner": "repobility-threat-engine", "fingerprint": "39f5d9501ec581dada7584a0fda5677db159c96f2e1d4062d45ba360bc69a9b0", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"/WIDGET-INTEGRATION.md\" target=\"_blank\" className=\"text-primary hover:underline\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|228|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/goal_ui/src/pages/Demo.tsx"}, "region": {"startLine": 228}}}]}, {"ruleId": "SEC086", "level": "warning", "message": {"text": "[SEC086] JS: bidirectional Unicode (Trojan Source): Bidirectional Unicode override chars in source \u2014 Trojan Source attack (CVE-2021-42574). Ported from eslint-plugin-security detect-bidi-characters (Apache-2.0)."}, "properties": {"repobilityId": 83812, "scanner": "repobility-threat-engine", "fingerprint": "3816ef82fa7f189c2878cad47915bc3efbfd4ccdc774a309cca1521d3e7ba957", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\u202a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC086", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3816ef82fa7f189c2878cad47915bc3efbfd4ccdc774a309cca1521d3e7ba957"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/security/src/tool-output-guardrail.ts"}, "region": {"startLine": 183}}}]}, {"ruleId": "SEC002", "level": "warning", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 83803, "scanner": "repobility-threat-engine", "fingerprint": "db3c77e8c16370ff6cc8a0a2dd0d1d932ebe640b7652d3c35f698ae77d9254e7", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (4.5 bits) \u2014 may be placeholder or common string", "evidence": {"match": "api_key = \"<redacted>\"", "reason": "Low entropy value (4.5 bits) \u2014 may be placeholder or common string", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|v3/ token|9|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/guidance/wasm-kernel/src/gates.rs"}, "region": {"startLine": 93}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 83800, "scanner": "repobility-threat-engine", "fingerprint": "a36580f2086908475df4235e662227acf3cce28a4cf80cd9c05bd965e6b8cd6d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a36580f2086908475df4235e662227acf3cce28a4cf80cd9c05bd965e6b8cd6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/src/appliance/rvfa-runner.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 83799, "scanner": "repobility-threat-engine", "fingerprint": "5a16fa3761c5f95778f2a25b20c286493cb3609363c4e409238bcf808196bd01", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5a16fa3761c5f95778f2a25b20c286493cb3609363c4e409238bcf808196bd01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/scripts/bench-rvagent.mjs"}, "region": {"startLine": 226}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 83798, "scanner": "repobility-threat-engine", "fingerprint": "00c629b71cfaec15c2c1f5e91abd1af19d6cfeeaf218171ff548e3faebd12f67", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|00c629b71cfaec15c2c1f5e91abd1af19d6cfeeaf218171ff548e3faebd12f67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/.claude/helpers/hook-handler.cjs"}, "region": {"startLine": 283}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 83785, "scanner": "repobility-threat-engine", "fingerprint": "9ff9acf80fca728b9b86afece03c74d619146eb2f6433faad26bb0e53ac53242", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url: 'https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9ff9acf80fca728b9b86afece03c74d619146eb2f6433faad26bb0e53ac53242"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/scripts/benchmark-substrate.mjs"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 83783, "scanner": "repobility-threat-engine", "fingerprint": "ed1b1418152288e11dfa4b72da411192641d269e1b6655f16b1f51d8a2bd4bc7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (err) {\n    return null;\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ed1b1418152288e11dfa4b72da411192641d269e1b6655f16b1f51d8a2bd4bc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/audit-wrapper-dep-ranges.mjs"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 83772, "scanner": "repobility-threat-engine", "fingerprint": "2884a3f321b0ad0461a3e92e4332ae66e88baef998dbb100fe6b3ba3f7f9e514", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|40|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/smoke-workflows-yaml.mjs"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 83771, "scanner": "repobility-threat-engine", "fingerprint": "652ba685c6727445df4f93db24c57675c9fe4db0caeb1a68544cac4c14da10a1", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|7|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/scripts/updateLocalEnv.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 83748, "scanner": "repobility-threat-engine", "fingerprint": "d81ab9107d89b6ebd8a96330fdfad9ba8dd6023615ea119d74ef9b01fa9c363d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ivate generateId(): string {\n    return `hook-${Date.now()}-${Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d81ab9107d89b6ebd8a96330fdfad9ba8dd6023615ea119d74ef9b01fa9c363d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/hooks/src/registry/index.ts"}, "region": {"startLine": 238}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 83747, "scanner": "repobility-threat-engine", "fingerprint": "d075584fa5a709e150a8782e440311559d47d5f5c4836dea23b8e6a1368ffa5d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() - 0.5) * 0.1));\n    }\n    transforms.push('differential-priv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d075584fa5a709e150a8782e440311559d47d5f5c4836dea23b8e6a1368ffa5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/src/transfer/anonymization/index.ts"}, "region": {"startLine": 173}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 83746, "scanner": "repobility-threat-engine", "fingerprint": "b23e8d3c7ae3124a21e4c8b48efab7014cc263c1e521be8fca798d2f139c2cca", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(2, 8)}`;\n    const r = memoryStore('adr-edges', key", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b23e8d3c7ae3124a21e4c8b48efab7014cc263c1e521be8fca798d2f139c2cca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-adr/scripts/import.mjs"}, "region": {"startLine": 220}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 83744, "scanner": "repobility-threat-engine", "fingerprint": "f046e0994168da6ded12fdc9a67ba1177b47af76a1effcd9050ee942bcd81704", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|59|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-cost-tracker/scripts/budget.mjs"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 83743, "scanner": "repobility-threat-engine", "fingerprint": "04de94f474742ff832964e91ceb58b9a8a42dbf5aea754e8a7c25d9390bb43e9", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|28|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-adr/scripts/verify.mjs"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 83742, "scanner": "repobility-threat-engine", "fingerprint": "e61ead5f96fce98e66d3b1f7d4790cd81adf6e584de77ce2d35736158d33e27f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|70|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-adr/scripts/import.mjs"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 83741, "scanner": "repobility-threat-engine", "fingerprint": "b8ce64e408cddd92316ef4cb1ee7c7582aefa7b88888a7061c2978f5d6edc2f9", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here | [R34 auto-suppress: test/fixture path]", "evidence": {"match": "key = new Array(64).fill(0).map(() => Math.random", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here | [R34 auto-suppress: test/fixture path]", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "code|crypto|v3/ token|387|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/integration/src/index.ts"}, "region": {"startLine": 387}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 83740, "scanner": "repobility-threat-engine", "fingerprint": "2c63c618ab085bad52eb4a5d83f1c35f56767330f1092f8728fb51b679ece62a", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "key = `${e.relation}:${e.from}->${e.to}:${Date.now()}-${Math.random", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|220|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-adr/scripts/import.mjs"}, "region": {"startLine": 220}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 83912, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 83911, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 83910, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 83909, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83903, "scanner": "repobility-docker", "fingerprint": "711663e0e02255d9e773d6cde59fa67cebac06b5b6c1367a0ae2e8eab1e1117c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "adminer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|711663e0e02255d9e773d6cde59fa67cebac06b5b6c1367a0ae2e8eab1e1117c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/plugins/examples/ruvector/docker-compose.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 83902, "scanner": "repobility-docker", "fingerprint": "5d563770cc181894c80d26951a463115f4accfc08d64dce32a62f708e046397e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "adminer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5d563770cc181894c80d26951a463115f4accfc08d64dce32a62f708e046397e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/plugins/examples/ruvector/docker-compose.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 83899, "scanner": "repobility-docker", "fingerprint": "752c8959f2dbf1b2910f3bcddb00e3d3984d9250e27789eaa4e2d4afb219f31a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgres", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|752c8959f2dbf1b2910f3bcddb00e3d3984d9250e27789eaa4e2d4afb219f31a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/plugins/examples/ruvector/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83898, "scanner": "repobility-docker", "fingerprint": "059a573455e8e2c5fa18b208f357ce0adb1374d1ccfc6f1e105ef24ea352c5d4", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "worker", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|059a573455e8e2c5fa18b208f357ce0adb1374d1ccfc6f1e105ef24ea352c5d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/docker/docker-compose.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83897, "scanner": "repobility-docker", "fingerprint": "9db440e4c93ad3413f3428dbf052c61961b91405fa760e999b6d8894130b7671", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ruflo-full", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9db440e4c93ad3413f3428dbf052c61961b91405fa760e999b6d8894130b7671"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/docker/docker-compose.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83896, "scanner": "repobility-docker", "fingerprint": "8488e3521c520e05c04ea3d789bac372d9b6cab7276de620c50d9007f3dd6201", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mcp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8488e3521c520e05c04ea3d789bac372d9b6cab7276de620c50d9007f3dd6201"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/docker/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83895, "scanner": "repobility-docker", "fingerprint": "05f56175ea72c36f9c3a27591084262308fd71ed7bfad872d3d6ecbed596fb68", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "browser-e2e", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|05f56175ea72c36f9c3a27591084262308fd71ed7bfad872d3d6ecbed596fb68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/docker/docker-compose.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 83894, "scanner": "repobility-docker", "fingerprint": "554f6891035ff9d86104efa04a71c679845eb3d9b2dc5d9eed901c072bb2e6d8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "browser-e2e", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|554f6891035ff9d86104efa04a71c679845eb3d9b2dc5d9eed901c072bb2e6d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/docker/docker-compose.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83893, "scanner": "repobility-docker", "fingerprint": "ed32fa3e56b7a36a489a5dacbcaef83ba23a9cd7e1e923998636187130bd54be", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "browser-debug", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ed32fa3e56b7a36a489a5dacbcaef83ba23a9cd7e1e923998636187130bd54be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/docker/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 83892, "scanner": "repobility-docker", "fingerprint": "2cfacec681990077640926ea02675931b9a9a813e43724d12431df49e8ba45f3", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "browser-debug", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2cfacec681990077640926ea02675931b9a9a813e43724d12431df49e8ba45f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/docker/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83891, "scanner": "repobility-docker", "fingerprint": "5f5cbf37f7eebad8d15841a6c780b0b8a3b462504122e3e034d28cfa38ce36cc", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "browser-tests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5f5cbf37f7eebad8d15841a6c780b0b8a3b462504122e3e034d28cfa38ce36cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/docker/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 83890, "scanner": "repobility-docker", "fingerprint": "3373931393b8a433a746e981d1094590b30c5305d2b4286cc80cbd5ca52f5061", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "browser-tests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3373931393b8a433a746e981d1094590b30c5305d2b4286cc80cbd5ca52f5061"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/docker/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83889, "scanner": "repobility-docker", "fingerprint": "29054f26777dbb12c6bde24b23304b55ed35748706922d19bbc8a72f86db16f8", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "security-tests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|29054f26777dbb12c6bde24b23304b55ed35748706922d19bbc8a72f86db16f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/docker-compose.yml"}, "region": {"startLine": 121}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 83888, "scanner": "repobility-docker", "fingerprint": "39cd14f0828b2d46b7e3d9edb69fd198883d5e2e57ff3547cdff31257d859a90", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "security-tests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|39cd14f0828b2d46b7e3d9edb69fd198883d5e2e57ff3547cdff31257d859a90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/docker-compose.yml"}, "region": {"startLine": 121}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83887, "scanner": "repobility-docker", "fingerprint": "a809965aed080c4844395b8ab62dddd770116705c6a80641a8d6441fff989129", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "benchmark-tests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a809965aed080c4844395b8ab62dddd770116705c6a80641a8d6441fff989129"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/docker-compose.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 83886, "scanner": "repobility-docker", "fingerprint": "2486f6161e0a6eb4dcbac2832ec20dcaf768b18c99aa654d39abc83fd93b699d", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "benchmark-tests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2486f6161e0a6eb4dcbac2832ec20dcaf768b18c99aa654d39abc83fd93b699d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/docker-compose.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83885, "scanner": "repobility-docker", "fingerprint": "ab74ef7b7f605247bac8cfa2f56d76ac07d01eb6ba6d2e8d6049d178ea4ce5f0", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "integration-tests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ab74ef7b7f605247bac8cfa2f56d76ac07d01eb6ba6d2e8d6049d178ea4ce5f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/docker-compose.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 83884, "scanner": "repobility-docker", "fingerprint": "d2f5ae9745f5ab13fc47026e00a27fc2cffca8d52ecd62d5571f6e02864cfa98", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "integration-tests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d2f5ae9745f5ab13fc47026e00a27fc2cffca8d52ecd62d5571f6e02864cfa98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/docker-compose.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83883, "scanner": "repobility-docker", "fingerprint": "149c3796b1dfaa79c605fc72b63991a68c8214e987baafe2c1aee00cfc90d9d9", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "unit-tests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|149c3796b1dfaa79c605fc72b63991a68c8214e987baafe2c1aee00cfc90d9d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/docker-compose.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 83882, "scanner": "repobility-docker", "fingerprint": "ed6636072afee6660c5ab3b6c326ab7bed42385f26a91f6648578e680bb2c071", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "unit-tests", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ed6636072afee6660c5ab3b6c326ab7bed42385f26a91f6648578e680bb2c071"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/docker-compose.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83881, "scanner": "repobility-docker", "fingerprint": "4273718d0fdbe485c4866dd8e09d4154b91443870ab01cd764a2cb9b7b99ee18", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mcp-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4273718d0fdbe485c4866dd8e09d4154b91443870ab01cd764a2cb9b7b99ee18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 83880, "scanner": "repobility-docker", "fingerprint": "f0701a61839777433329b88126b9a32d387ef75607599799009317379676d50c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mcp-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f0701a61839777433329b88126b9a32d387ef75607599799009317379676d50c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83879, "scanner": "repobility-docker", "fingerprint": "d281800006f059f79eba47b4cf4503350e2091f0b7650ad1bd3c020d2f37d9eb", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "test-runner", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d281800006f059f79eba47b4cf4503350e2091f0b7650ad1bd3c020d2f37d9eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 83878, "scanner": "repobility-docker", "fingerprint": "a0d1af352f66395fb98e36bdbb4071c5d53a6da1e4a8ad5ba4545679886e8900", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "test-runner", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a0d1af352f66395fb98e36bdbb4071c5d53a6da1e4a8ad5ba4545679886e8900"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 83876, "scanner": "repobility-docker", "fingerprint": "87f6df0ac168504d000f0b3baa8ec9bf73b98badd39342dd3696ab107b77a12d", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "chat-ui", "dependency": "mongodb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|87f6df0ac168504d000f0b3baa8ec9bf73b98badd39342dd3696ab107b77a12d", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/docker-compose.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83875, "scanner": "repobility-docker", "fingerprint": "a85f594576fa76040a93115b2c80e1e509666cc8beea73149431b08760917482", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "chat-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a85f594576fa76040a93115b2c80e1e509666cc8beea73149431b08760917482"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/docker-compose.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 83874, "scanner": "repobility-docker", "fingerprint": "b59f3405b29407db79e236d20756d7cbde3643f48e7d3fd2828f30d594f99b41", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "chat-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b59f3405b29407db79e236d20756d7cbde3643f48e7d3fd2828f30d594f99b41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/docker-compose.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83873, "scanner": "repobility-docker", "fingerprint": "0e1313f3d21f2c2c459039689a362990e30ce39657c40988b724ae2133ff9985", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "nginx", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0e1313f3d21f2c2c459039689a362990e30ce39657c40988b724ae2133ff9985"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/docker-compose.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 83872, "scanner": "repobility-docker", "fingerprint": "60dbb3cbe651da2f35a2ecd610b6e14cc189f60d5a1e723f8b7ea5c837260eec", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "nginx", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|60dbb3cbe651da2f35a2ecd610b6e14cc189f60d5a1e723f8b7ea5c837260eec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/docker-compose.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 83871, "scanner": "repobility-docker", "fingerprint": "867e8c36e0f7c7f3f99ffef8479c3e46add81e794f4c5cc4e6ea40fb1273a4f5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mcp-bridge", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|867e8c36e0f7c7f3f99ffef8479c3e46add81e794f4c5cc4e6ea40fb1273a4f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 83870, "scanner": "repobility-docker", "fingerprint": "2b5c23c88e5d7be10246976a680bce526ded5000f46fe7508ce443100c79b0c8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mcp-bridge", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2b5c23c88e5d7be10246976a680bce526ded5000f46fe7508ce443100c79b0c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 83862, "scanner": "repobility-docker", "fingerprint": "6cb68360656cfb48c6245ba478420eb6919bb19b1bc4bc7ae3961aa5fc55b97f", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6cb68360656cfb48c6245ba478420eb6919bb19b1bc4bc7ae3961aa5fc55b97f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 83858, "scanner": "repobility-docker", "fingerprint": "818ad5433772aa808aebd5f21496287920f82b689b6e54fe1fa864b2a65c6ddb", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|818ad5433772aa808aebd5f21496287920f82b689b6e54fe1fa864b2a65c6ddb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/Dockerfile"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 83855, "scanner": "repobility-docker", "fingerprint": "e2d5ef1f9880ce3378cc393ebc389cdf3e8aa8faa6b25f93c91a6ccff6bd2694", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e2d5ef1f9880ce3378cc393ebc389cdf3e8aa8faa6b25f93c91a6ccff6bd2694"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.devcontainer/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83851, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8747062c9b4a8d46ca5e85f54c4f938021335b0f99e461c317b0c9d99811b904", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "v3/@claude-flow/cli/src/commands/ruvector/backup.ts", "duplicate_line": 60, "correlation_key": "fp|8747062c9b4a8d46ca5e85f54c4f938021335b0f99e461c317b0c9d99811b904"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/src/commands/ruvector/import.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83850, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4b6b9044c819fc1c99b9e710333fc1dbe23fbecdeb887951e97f9b6800d2c95b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "v3/@claude-flow/cli/src/commands/ruvector/backup.ts", "duplicate_line": 4, "correlation_key": "fp|4b6b9044c819fc1c99b9e710333fc1dbe23fbecdeb887951e97f9b6800d2c95b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/src/commands/ruvector/benchmark.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83849, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5990e95ba869f3dda0796b92fc235903fbe527b15b8eeb0f30c2d4a9424bd2fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "v3/@claude-flow/cli/src/commands/appliance-advanced.ts", "duplicate_line": 3, "correlation_key": "fp|5990e95ba869f3dda0796b92fc235903fbe527b15b8eeb0f30c2d4a9424bd2fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/src/commands/appliance.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83848, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d53787ed21bdb17484dd6f79867f328d24cee0b34ba68bcd719171377b3738dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "v3/@claude-flow/cli/src/appliance/rvfa-distribution.ts", "duplicate_line": 120, "correlation_key": "fp|d53787ed21bdb17484dd6f79867f328d24cee0b34ba68bcd719171377b3738dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/src/appliance/rvfa-signing.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83847, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dd8091272717e434d82d942e24aa27eda7a90689add5eca185c65c5e27035b6e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "v3/@claude-flow/cli/src/appliance/gguf-engine.ts", "duplicate_line": 33, "correlation_key": "fp|dd8091272717e434d82d942e24aa27eda7a90689add5eca185c65c5e27035b6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/src/appliance/ruvllm-bridge.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83846, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7fcddebc26725c0bb1c5994d22c8b59ca519fdef48b4de8dfadee7bb1b9199be", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "v3/@claude-flow/cli/cloud-functions/publish-registry/index.js", "duplicate_line": 16, "correlation_key": "fp|7fcddebc26725c0bb1c5994d22c8b59ca519fdef48b4de8dfadee7bb1b9199be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/scripts/publish-registry.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83845, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c4bac1ca70c53b8131402d3bbef3901e09d877fe16db2984fd7deaca003761e9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".claude/helpers/github-safe.js", "duplicate_line": 1, "correlation_key": "fp|c4bac1ca70c53b8131402d3bbef3901e09d877fe16db2984fd7deaca003761e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/.claude/helpers/github-safe.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83844, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f496057ddd728bae4b5b2114b37aa76f5850753bb63d4a1c0ef98bd8d864dca7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "v3/@claude-flow/browser/src/application/cookie-vault-service.ts", "duplicate_line": 117, "correlation_key": "fp|f496057ddd728bae4b5b2114b37aa76f5850753bb63d4a1c0ef98bd8d864dca7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/src/infrastructure/witness-signer.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83843, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4c18650cdff3e27db5c88f355cb76da9b98fc42c1429bd315c7fc5ae9fd30a44", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/nginx/static/welcome.js", "duplicate_line": 1, "correlation_key": "fp|4c18650cdff3e27db5c88f355cb76da9b98fc42c1429bd315c7fc5ae9fd30a44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/static/chatui/welcome.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83842, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a19840735d75e006c3d6ce9630bdc53668e1cb6b971100534ebcb498879c7093", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/ruvocal/src/routes/api/v2/user/settings/+server.ts", "duplicate_line": 10, "correlation_key": "fp|a19840735d75e006c3d6ce9630bdc53668e1cb6b971100534ebcb498879c7093"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/src/routes/settings/(nav)/+server.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83841, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7dc1d7c66292f67f341ccd4c926e7df4c045f15f08f16a4e1f340e602e67205d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/ruvocal/src/routes/conversation/[id]/+page.ts", "duplicate_line": 25, "correlation_key": "fp|7dc1d7c66292f67f341ccd4c926e7df4c045f15f08f16a4e1f340e602e67205d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/src/routes/r/[id]/+page.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83840, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5c8c3a40fb6220f2391117d328338f3823bc7f5c169d33b80440cc5c917b3beb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/ruvocal/src/routes/+page.svelte", "duplicate_line": 67, "correlation_key": "fp|5c8c3a40fb6220f2391117d328338f3823bc7f5c169d33b80440cc5c917b3beb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/src/routes/models/[...model]/+page.svelte"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83839, "scanner": "repobility-ai-code-hygiene", "fingerprint": "814018cade827cbdb056f6421b29a5ca1528f8bea2464761ce72e5b2f5ff6273", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/ruvocal/src/routes/api/v2/models/[namespace]/[model]/subscribe/+server.ts", "duplicate_line": 10, "correlation_key": "fp|814018cade827cbdb056f6421b29a5ca1528f8bea2464761ce72e5b2f5ff6273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/src/routes/api/v2/models/[namespace]/subscribe/+server.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83838, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0e829734d8c13cffba101b6b06c8f3e004a1ccac2b85414417fe73cfc8a1817d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/ruvocal/src/routes/api/conversation/[id]/message/[messageId]/+server.ts", "duplicate_line": 16, "correlation_key": "fp|0e829734d8c13cffba101b6b06c8f3e004a1ccac2b85414417fe73cfc8a1817d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/src/routes/api/v2/conversations/[id]/message/[messageId]/+server.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83837, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0cbcb098e837f0051373784ff8e1a7e6ef684046d766a996913e7a09d479a709", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/ruvocal/src/lib/server/mcp/hf.ts", "duplicate_line": 4, "correlation_key": "fp|0cbcb098e837f0051373784ff8e1a7e6ef684046d766a996913e7a09d479a709"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/src/lib/utils/hf.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83836, "scanner": "repobility-ai-code-hygiene", "fingerprint": "794fd229892ddd02f02662fafceab47d6decbbc6999a428525860d3fe1de5e37", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/ruvocal/src/lib/server/database/postgres.ts", "duplicate_line": 27, "correlation_key": "fp|794fd229892ddd02f02662fafceab47d6decbbc6999a428525860d3fe1de5e37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/src/lib/server/database/rvf.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83835, "scanner": "repobility-ai-code-hygiene", "fingerprint": "687d4cddecdbde63c3d8870eacfccc8bb339c48d58b252733429c9ae836c0632", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/ruvocal/src/lib/components/icons/IconBurger.svelte", "duplicate_line": 1, "correlation_key": "fp|687d4cddecdbde63c3d8870eacfccc8bb339c48d58b252733429c9ae836c0632"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/src/lib/components/icons/IconShare.svelte"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83834, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a0d3d926d282bad57a605db8cd5cf974d7caaca328a03387550bb44d4d0c0051", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/ruvocal/src/lib/components/icons/IconBurger.svelte", "duplicate_line": 1, "correlation_key": "fp|a0d3d926d282bad57a605db8cd5cf974d7caaca328a03387550bb44d4d0c0051"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/src/lib/components/icons/IconNew.svelte"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83833, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b226fe2a66f677f21ab7b60a10e92a2443236c9442bf5dc7235cf7c9652f240", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/ruvocal/src/lib/components/icons/IconCheap.svelte", "duplicate_line": 1, "correlation_key": "fp|2b226fe2a66f677f21ab7b60a10e92a2443236c9442bf5dc7235cf7c9652f240"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/src/lib/components/icons/IconFast.svelte"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83832, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b6ccd903cdad48b16d7ee18820d27bc0a93c53228c48b94ffb5e881a071af9d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/ruvocal/src/lib/components/ShareConversationModal.svelte", "duplicate_line": 66, "correlation_key": "fp|0b6ccd903cdad48b16d7ee18820d27bc0a93c53228c48b94ffb5e881a071af9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/src/lib/components/chat/UrlFetchModal.svelte"}, "region": {"startLine": 122}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83831, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da5f38010c49ceb45835e48f02f834458b07e736a547323625a6b4fb192b7d99", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/ruvocal/src/lib/components/NavMenu.svelte", "duplicate_line": 266, "correlation_key": "fp|da5f38010c49ceb45835e48f02f834458b07e736a547323625a6b4fb192b7d99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/src/lib/components/chat/ChatIntroduction.svelte"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83830, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3151faac91a10106bf6f4689383a4b56f012e2b01f04cac77e3b49ebf6075f64", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/mcp-bridge/test-harness.js", "duplicate_line": 1, "correlation_key": "fp|3151faac91a10106bf6f4689383a4b56f012e2b01f04cac77e3b49ebf6075f64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/mcp-bridge/test-harness.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83829, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4a77e73cbfdc3dfe4322ae4b2e694c466b551468285b565e7bf4564a228b8a5d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ruflo/src/mcp-bridge/mcp-stdio-kernel.js", "duplicate_line": 1, "correlation_key": "fp|4a77e73cbfdc3dfe4322ae4b2e694c466b551468285b565e7bf4564a228b8a5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/mcp-bridge/mcp-stdio-kernel.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83828, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e1c4329b33c23aa9b50adaf31907fc4c570e768ab972bd63bccc1ffbbb0e35ff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/ruflo-neural-trader/src/signed-artifact.ts", "duplicate_line": 49, "correlation_key": "fp|e1c4329b33c23aa9b50adaf31907fc4c570e768ab972bd63bccc1ffbbb0e35ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-neural-trader/src/signed-attribution.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83827, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b7ee64ad585c26637f7b6c1c0e97e4e69c82674d145472e64a969e9d64c1f82", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/ruflo-graph-intelligence/src/adapters/aidefence-suspicion-adapter.ts", "duplicate_line": 50, "correlation_key": "fp|2b7ee64ad585c26637f7b6c1c0e97e4e69c82674d145472e64a969e9d64c1f82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-graph-intelligence/src/adapters/observability-span-adapter.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 83826, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8a28e15ec91b2c90b17d79b3f48b69361c9612990a4a91e6a5b474d9d5a69130", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/ruflo-graph-intelligence/src/adapters/aidefence-suspicion-adapter.ts", "duplicate_line": 48, "correlation_key": "fp|8a28e15ec91b2c90b17d79b3f48b69361c9612990a4a91e6a5b474d9d5a69130"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-graph-intelligence/src/adapters/cost-attribution-adapter.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 83726, "scanner": "repobility-threat-engine", "fingerprint": "005a4c1130c5c195f79e95a82f5b5cfdc0bca6843cba32c8c6193c6b0c12a398", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "' tokens of old text (kept last ' + KEEP + ' turns)\\\\n'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|005a4c1130c5c195f79e95a82f5b5cfdc0bca6843cba32c8c6193c6b0c12a398"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/patch-aggressive-prune.mjs"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 83725, "scanner": "repobility-threat-engine", "fingerprint": "1224190d4ab06a147679824667049a7aa7cf72850772c70e5b8c50b66ff6ba77", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'[INTELLIGENCE] Stats: ' + count + ' entries loaded'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1224190d4ab06a147679824667049a7aa7cf72850772c70e5b8c50b66ff6ba77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/intelligence.cjs"}, "region": {"startLine": 227}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 83724, "scanner": "repobility-threat-engine", "fingerprint": "cee385a9e6e84078be7632edaee747bd9eb2c321669a28b01bdeb6a55638562e", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\" timed out after \" + INTELLIGENCE_TIMEOUT_MS + \"ms, skipping\\n\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cee385a9e6e84078be7632edaee747bd9eb2c321669a28b01bdeb6a55638562e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/hook-handler.cjs"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 83860, "scanner": "repobility-docker", "fingerprint": "fafc13e77eedc5a230a6f27866231704a0d2545af234f65ec943397bb554e7dd", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "local_db_${INCLUDE_DB}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|fafc13e77eedc5a230a6f27866231704a0d2545af234f65ec943397bb554e7dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/Dockerfile"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 83825, "scanner": "repobility-threat-engine", "fingerprint": "ebb59b765d3e4f89feb311ac83554e9f872e0f6b0b0dbcd8cb62a7b8de645d45", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ebb59b765d3e4f89feb311ac83554e9f872e0f6b0b0dbcd8cb62a7b8de645d45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/plugins/gastown-bridge/wasm/shared/src/intern.rs"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 83820, "scanner": "repobility-threat-engine", "fingerprint": "ab9eeed7684608b2f2a933dbfdc1df3f3d2422200bc09976a358a3ff2dc9facc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ab9eeed7684608b2f2a933dbfdc1df3f3d2422200bc09976a358a3ff2dc9facc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/goal_ui/src/components/ui/chart.tsx"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 83819, "scanner": "repobility-threat-engine", "fingerprint": "e3388b234273f4a2e74e16f8adc875a3f1486e18f190fcdf1616eb27c8e71c32", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e3388b234273f4a2e74e16f8adc875a3f1486e18f190fcdf1616eb27c8e71c32", "aggregated_count": 1}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 83818, "scanner": "repobility-threat-engine", "fingerprint": "c391dcd0a5415c9c80e2a34f281ce8d6baae990d1d227de708709e5ee76ac23d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c391dcd0a5415c9c80e2a34f281ce8d6baae990d1d227de708709e5ee76ac23d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/goal_ui/src/components/agents/RealTimeEventLog.tsx"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 83817, "scanner": "repobility-threat-engine", "fingerprint": "a05a2b7db8cf94fa4786cafffce24575f334718ef0ef09c5c793ecdaf807f99f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a05a2b7db8cf94fa4786cafffce24575f334718ef0ef09c5c793ecdaf807f99f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/goal_ui/src/components/agents/QualityGates.tsx"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 83816, "scanner": "repobility-threat-engine", "fingerprint": "e4fca2a30d6109dfa192938be0a3e4b4c109be6d0fa616bd1dddac2f169daf45", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4fca2a30d6109dfa192938be0a3e4b4c109be6d0fa616bd1dddac2f169daf45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/goal_ui/src/components/agents/DependencyGraph.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 83809, "scanner": "repobility-threat-engine", "fingerprint": "6d475cea56ac5b6eeb9b3f84ecb6b7a96ea8697a910929af6dd66bd6230dd7e5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d475cea56ac5b6eeb9b3f84ecb6b7a96ea8697a910929af6dd66bd6230dd7e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/guidance/wasm-kernel/src/proof.rs"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 83807, "scanner": "repobility-threat-engine", "fingerprint": "7275ceacd41b9e5f605db0caf2ef5859fc0c93cae6a8c72e5ca046ad7fd4eb1a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7275ceacd41b9e5f605db0caf2ef5859fc0c93cae6a8c72e5ca046ad7fd4eb1a", "aggregated_count": 6}}}, {"ruleId": "SEC002", "level": "none", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 83802, "scanner": "repobility-threat-engine", "fingerprint": "1a4b7a3594ee521e9d52e91f9b31ada7c8c875802027a3dc1879a97463ff3cf4", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "API_KEY = '<redacted>'", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|v3/ token|16|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/scripts/bench-rvagent.mjs"}, "region": {"startLine": 163}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 83801, "scanner": "repobility-threat-engine", "fingerprint": "bcc4f4ba9d6f1cc01238739180acf67e6d4fb5ebbdd6b73d3d1174f7cc93f498", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bcc4f4ba9d6f1cc01238739180acf67e6d4fb5ebbdd6b73d3d1174f7cc93f498"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 83797, "scanner": "repobility-threat-engine", "fingerprint": "a74730ca76ec1f3cc7d4811f43e6f4180763b36a8cc26422ad93989f65bdc129", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a74730ca76ec1f3cc7d4811f43e6f4180763b36a8cc26422ad93989f65bdc129", "aggregated_count": 15}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 83796, "scanner": "repobility-threat-engine", "fingerprint": "a501c08dc73e70c3e6739eb173a8f9d3eb85a13343bce5be90add0628ddfbb2a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a501c08dc73e70c3e6739eb173a8f9d3eb85a13343bce5be90add0628ddfbb2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/src/memory/graph-edge-writer.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 83795, "scanner": "repobility-threat-engine", "fingerprint": "83370a8c9862b6e0f7f1d0963c9f37fded01cc607da7a665cdbd6ee61e16fa7b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|83370a8c9862b6e0f7f1d0963c9f37fded01cc607da7a665cdbd6ee61e16fa7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/src/memory/bge-embedder.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 83794, "scanner": "repobility-threat-engine", "fingerprint": "b53810c15cc9c188f04636221566ac6d2de35b156ec864ca46154adf09c252c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b53810c15cc9c188f04636221566ac6d2de35b156ec864ca46154adf09c252c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli-core/src/mcp-tools/validate-input.ts"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 83793, "scanner": "repobility-threat-engine", "fingerprint": "a35cd66a42bd425279dae9e13ec5afe8ff438d13c07e35a6c2ee72916adb4e92", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a35cd66a42bd425279dae9e13ec5afe8ff438d13c07e35a6c2ee72916adb4e92", "aggregated_count": 22}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 83792, "scanner": "repobility-threat-engine", "fingerprint": "103695cc037201e0f698e01f5d420b190f9bf5843f9ac5746d5d693d3c4617cf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|103695cc037201e0f698e01f5d420b190f9bf5843f9ac5746d5d693d3c4617cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/src/benchmarks/gaia-extract.smoke.ts"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 83791, "scanner": "repobility-threat-engine", "fingerprint": "9386a996611fb3455b087bdd87681bd4ca46dd2a1db311e98fe457a5fc4e9c5e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9386a996611fb3455b087bdd87681bd4ca46dd2a1db311e98fe457a5fc4e9c5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/claims/src/infrastructure/event-store.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 83790, "scanner": "repobility-threat-engine", "fingerprint": "52ea7884bd91c26fd507acdb427a54232b858f2a4fcc7d506d41df1c80bb830b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|52ea7884bd91c26fd507acdb427a54232b858f2a4fcc7d506d41df1c80bb830b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/claims/src/infrastructure/claim-repository.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED027", "level": "none", "message": {"text": "[MINED027] React State Array Mutation (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 83789, "scanner": "repobility-threat-engine", "fingerprint": "48933784feb3bc9610604b20d30a74ea59794fd967d4033b6402aa448814d4b7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|48933784feb3bc9610604b20d30a74ea59794fd967d4033b6402aa448814d4b7", "aggregated_count": 1}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 83782, "scanner": "repobility-threat-engine", "fingerprint": "904c9d309bd336199035b1f270b4696a2b650b4c9eb670ffc915bec567d4c074", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|904c9d309bd336199035b1f270b4696a2b650b4c9eb670ffc915bec567d4c074", "aggregated_count": 1}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 83781, "scanner": "repobility-threat-engine", "fingerprint": "fef072d105afce67e11fc3c20a57bccc441e5935e806ad56819bc9158ccc705a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fef072d105afce67e11fc3c20a57bccc441e5935e806ad56819bc9158ccc705a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/shared/src/mcp/transport/index.ts"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 83780, "scanner": "repobility-threat-engine", "fingerprint": "bdff5f881c822fbf87560f7968a2840143a9c5d77a2e331c6d8b485b4d282135", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bdff5f881c822fbf87560f7968a2840143a9c5d77a2e331c6d8b485b4d282135"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/mcp/src/transport/index.ts"}, "region": {"startLine": 219}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 83779, "scanner": "repobility-threat-engine", "fingerprint": "9b2832322f31b290914fd104bcd3773386933713d51c9b84a4126d1fabd666c9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9b2832322f31b290914fd104bcd3773386933713d51c9b84a4126d1fabd666c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/src/routes/api/mcp/health/+server.ts"}, "region": {"startLine": 255}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 83770, "scanner": "repobility-threat-engine", "fingerprint": "b33b9fa30193bee8937fded79de0a89e3cbc0227353c6d1fa8988e662e74e331", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b33b9fa30193bee8937fded79de0a89e3cbc0227353c6d1fa8988e662e74e331"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 83769, "scanner": "repobility-threat-engine", "fingerprint": "41dab641d142356952a7d611e143cc7a5f4149a674d4d71c78b9b94d6faa0bd5", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomuuid", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|v3/ token|47|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/scripts/grid-search-retrieval.mjs"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 83768, "scanner": "repobility-threat-engine", "fingerprint": "197a4e368680d95466fe609ea7623de2c1ed294be678d0e6a042d6e201f21fdc", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|118|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/src/routes/login/callback/updateUser.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 83767, "scanner": "repobility-threat-engine", "fingerprint": "11183cdb66933a7e6155840f41828b97c1e81fd282dd7165a5964ff1c7fc2495", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|50|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/scripts/populate.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED015", "level": "none", "message": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "properties": {"repobilityId": 83766, "scanner": "repobility-threat-engine", "fingerprint": "17ebfd2531f528c15198a6a64c253a53ca94ce6a1c9d6b2ec5b8ece4e9918f87", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "ruby-eval-call", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347933+00:00", "triaged_in_corpus": 20, "observations_count": 85733, "ai_coder_pattern_id": 161}, "scanner": "repobility-threat-engine", "correlation_key": "fp|17ebfd2531f528c15198a6a64c253a53ca94ce6a1c9d6b2ec5b8ece4e9918f87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 83765, "scanner": "repobility-threat-engine", "fingerprint": "e973c240dbc4f89f3ed23634248c27c341c4e2b97022c76d007ae21bef62c680", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e973c240dbc4f89f3ed23634248c27c341c4e2b97022c76d007ae21bef62c680", "aggregated_count": 7}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 83764, "scanner": "repobility-threat-engine", "fingerprint": "80a36c8086bc814560d5d9a17a8504393cc7385ca5952bc4e85534ed766d6be7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|80a36c8086bc814560d5d9a17a8504393cc7385ca5952bc4e85534ed766d6be7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/nginx/nginx.conf"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 83763, "scanner": "repobility-threat-engine", "fingerprint": "67b2e6e05f7b64fc53623217b477ae105f52b673392f99db9b2afc3e8ccbb1cc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|67b2e6e05f7b64fc53623217b477ae105f52b673392f99db9b2afc3e8ccbb1cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/mcp-bridge/mcp-stdio-kernel.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 83762, "scanner": "repobility-threat-engine", "fingerprint": "c9127522e0c78493ffce121af40be3940fe20218c2333b57fa61def772ab6773", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c9127522e0c78493ffce121af40be3940fe20218c2333b57fa61def772ab6773"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/docker-compose.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "properties": {"repobilityId": 83761, "scanner": "repobility-threat-engine", "fingerprint": "d7ab7ca7ffb3ec4cf0bb02e423c345ccb526619ae1a49dd666a6220f0b3b0b26", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d7ab7ca7ffb3ec4cf0bb02e423c345ccb526619ae1a49dd666a6220f0b3b0b26", "aggregated_count": 40}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 83760, "scanner": "repobility-threat-engine", "fingerprint": "bd118985f4ec92a15b98c5b59e75c12f2f5ba53ce7ce7fc6a57072e24e264af6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bd118985f4ec92a15b98c5b59e75c12f2f5ba53ce7ce7fc6a57072e24e264af6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/scripts/updateLocalEnv.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 83759, "scanner": "repobility-threat-engine", "fingerprint": "f4938599d9e9c15de4327c80473e43e6353467c31d6372d8ebc05468e122f819", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f4938599d9e9c15de4327c80473e43e6353467c31d6372d8ebc05468e122f819"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-graph-intelligence/src/infrastructure/jl-embed.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 83758, "scanner": "repobility-threat-engine", "fingerprint": "a2cd8d1ce823ac77b7fe462138e747c7ce5b0597db327975b7eca542b36588b3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a2cd8d1ce823ac77b7fe462138e747c7ce5b0597db327975b7eca542b36588b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-graph-intelligence/src/adapters/observability-span-adapter.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 83757, "scanner": "repobility-threat-engine", "fingerprint": "87a374dc589dd420ec377c72db2b292cf3fbbfe6642b8efe3d05d9fe2427b14e", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|87a374dc589dd420ec377c72db2b292cf3fbbfe6642b8efe3d05d9fe2427b14e"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 62 more): Same pattern found in 62 additional files. Review if needed."}, "properties": {"repobilityId": 83753, "scanner": "repobility-threat-engine", "fingerprint": "0f12c0bd46b8c11934538445f26904855fe3230a3533329f6f8872e11f9a2bd6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 62 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 62 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0f12c0bd46b8c11934538445f26904855fe3230a3533329f6f8872e11f9a2bd6"}}}, {"ruleId": "SEC087", "level": "none", "message": {"text": "[SEC087] JS: weak Math.random for crypto (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 83749, "scanner": "repobility-threat-engine", "fingerprint": "9c88f8f302bc35c1cccdd459311242cfa3bfc4557831186a2888f8024cda37f5", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9c88f8f302bc35c1cccdd459311242cfa3bfc4557831186a2888f8024cda37f5"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "properties": {"repobilityId": 83745, "scanner": "repobility-threat-engine", "fingerprint": "935ca1bcfb4d5d281bd63348c3a3354eb0a4b201cfe472375901be41ecd40841", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|935ca1bcfb4d5d281bd63348c3a3354eb0a4b201cfe472375901be41ecd40841"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 83739, "scanner": "repobility-threat-engine", "fingerprint": "479ad3ecd592fb67b4d7a6e885f9f264f18b2f11939abf87277284ef886c8b37", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|479ad3ecd592fb67b4d7a6e885f9f264f18b2f11939abf87277284ef886c8b37"}}}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 83735, "scanner": "repobility-threat-engine", "fingerprint": "f18933be2d43a6f2b86aba60a194501d92b01604e86efa860079d4abf0349f9e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f18933be2d43a6f2b86aba60a194501d92b01604e86efa860079d4abf0349f9e"}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 83731, "scanner": "repobility-threat-engine", "fingerprint": "7b990c59a59a231ab74545553785eddf6010f76184455cdb20a0912964580127", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7b990c59a59a231ab74545553785eddf6010f76184455cdb20a0912964580127", "aggregated_count": 1}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 83730, "scanner": "repobility-threat-engine", "fingerprint": "96ba39c0d5657fa4fc72eda606f00b6947ffb5f6a3ac4c31760650ddf904a258", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96ba39c0d5657fa4fc72eda606f00b6947ffb5f6a3ac4c31760650ddf904a258"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/.claude/helpers/learning-hooks.sh"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 83729, "scanner": "repobility-threat-engine", "fingerprint": "940124c961dee321b75e01147bb77ef0dbb9ac2c44835996f4f522f5333f4f69", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|940124c961dee321b75e01147bb77ef0dbb9ac2c44835996f4f522f5333f4f69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/install.sh"}, "region": {"startLine": 228}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 83728, "scanner": "repobility-threat-engine", "fingerprint": "2c062bc8d347f23751d5b681b065f1e632045b016a02eb2ea8746812944e854f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c062bc8d347f23751d5b681b065f1e632045b016a02eb2ea8746812944e854f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/learning-hooks.sh"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 83727, "scanner": "repobility-threat-engine", "fingerprint": "0a93f04a20a5455ea1d5583f76d6ecf7b16d6848f2b1fa2649ea0d3237642e97", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0a93f04a20a5455ea1d5583f76d6ecf7b16d6848f2b1fa2649ea0d3237642e97"}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 83723, "scanner": "repobility-threat-engine", "fingerprint": "8ce8a1367a2a0d9794a6d1f712fc9c846b60dcbe21c8f164bcea91d350a68bc9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8ce8a1367a2a0d9794a6d1f712fc9c846b60dcbe21c8f164bcea91d350a68bc9"}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 83716, "scanner": "repobility-threat-engine", "fingerprint": "2dbc83d54d7c26536309768fea7244b28f63eb48dd7b78fd5d1771cbe65580c9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2dbc83d54d7c26536309768fea7244b28f63eb48dd7b78fd5d1771cbe65580c9", "aggregated_count": 4}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 83715, "scanner": "repobility-threat-engine", "fingerprint": "13c3dee863484b475864cad1cce66e12f105d48b1577547fc767e4e5035cadb9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|13c3dee863484b475864cad1cce66e12f105d48b1577547fc767e4e5035cadb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-cost-tracker/scripts/compact.mjs"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 83714, "scanner": "repobility-threat-engine", "fingerprint": "960139658e316664a4c010ea1617f27d7cfedc0549fb4744d2f26965148ff499", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|960139658e316664a4c010ea1617f27d7cfedc0549fb4744d2f26965148ff499"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/patch-aggressive-prune.mjs"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 83713, "scanner": "repobility-threat-engine", "fingerprint": "28868065e7d41608e0418cee5466cad66f87b3e9fdb8179014c7c175a09c5970", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|28868065e7d41608e0418cee5466cad66f87b3e9fdb8179014c7c175a09c5970"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/aggressive-microcompact.mjs"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 215 more): Same pattern found in 215 additional files. Review if needed."}, "properties": {"repobilityId": 83712, "scanner": "repobility-threat-engine", "fingerprint": "ffd7f38c482a2f41e5f68896b143b9f113a546d1f726a985e66d3c3ae3d9c302", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 215 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ffd7f38c482a2f41e5f68896b143b9f113a546d1f726a985e66d3c3ae3d9c302", "aggregated_count": 215}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 83711, "scanner": "repobility-threat-engine", "fingerprint": "424c0bf35f4dd0681eae020ad43cd7ec2e3689f71f12c2b8365a6da475312e50", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|424c0bf35f4dd0681eae020ad43cd7ec2e3689f71f12c2b8365a6da475312e50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/hook-handler.cjs"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 83710, "scanner": "repobility-threat-engine", "fingerprint": "e2018f2f326aaba8d1a2365fd0368950f620b3585eb42230c2e2e2ba9a39e327", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e2018f2f326aaba8d1a2365fd0368950f620b3585eb42230c2e2e2ba9a39e327"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/github-safe.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 83709, "scanner": "repobility-threat-engine", "fingerprint": "439c2f4651762163c7b5c9e7b16d72a551e968c8d98844db53de48c38e8daf03", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|439c2f4651762163c7b5c9e7b16d72a551e968c8d98844db53de48c38e8daf03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/aggressive-microcompact.mjs"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 83708, "scanner": "repobility-threat-engine", "fingerprint": "85f6e149491b106b778d3023521ac1a6df7b2e25c95618240e31ca0c355a5634", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|85f6e149491b106b778d3023521ac1a6df7b2e25c95618240e31ca0c355a5634"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 83707, "scanner": "repobility-threat-engine", "fingerprint": "f796f2fc05d4e887106baea1fbc1462f156ce74c63c14825197c65fa18e619e5", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "console.log('> publishes events with shape `{peerId, taskId, tokensUsed, usdSpent, ts}` to')", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|10|console.log publishes events with shape peerid taskid tokensused usdspent ts to"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-cost-tracker/scripts/federation.mjs"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 83706, "scanner": "repobility-threat-engine", "fingerprint": "d34f3109eec3868dfe4bd6697c1b9db54771eed599505737a08135fa14b13000", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log('  - absolute path walk from this script (looking for v3/@claude-flow/integration/dist/t", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|11|console.log - absolute path walk from this script looking for v3/ token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-cost-tracker/scripts/compact.mjs"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 83705, "scanner": "repobility-threat-engine", "fingerprint": "da0df4832446e6c311e4b9bd44357b25a8d944e166425f8e04434166ed555149", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log('[AggressiveMicrocompact] Micro-compact activates when tokens > warning threshold')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|. token|3|console.log aggressivemicrocompact micro-compact activates when tokens warning threshold"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/aggressive-microcompact.mjs"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 83704, "scanner": "repobility-threat-engine", "fingerprint": "084288a32066b4c94a5b94b7c2d63f6615a308dfb9be963c394f4fde1bb0b8f0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|084288a32066b4c94a5b94b7c2d63f6615a308dfb9be963c394f4fde1bb0b8f0"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83971, "scanner": "repobility-supply-chain", "fingerprint": "c4b5eda5e021183d6f10e956002a9c96c2a4f93c4edaf0c68b47af8b6db66a3d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4b5eda5e021183d6f10e956002a9c96c2a4f93c4edaf0c68b47af8b6db66a3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/integration-tests.yml"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83970, "scanner": "repobility-supply-chain", "fingerprint": "e8c13d2ebda1de33e9b256243a394373e5ecbbe022e5f6acad9cf5f10eb151ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e8c13d2ebda1de33e9b256243a394373e5ecbbe022e5f6acad9cf5f10eb151ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/integration-tests.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83969, "scanner": "repobility-supply-chain", "fingerprint": "fc0b0ca60ae564740a937a05f6c043200ba537305345d299fc4f56a2feb7a094", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc0b0ca60ae564740a937a05f6c043200ba537305345d299fc4f56a2feb7a094"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/integration-tests.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83968, "scanner": "repobility-supply-chain", "fingerprint": "b6d739e9e98ba17296b0be8fcfc4813c3b67680746e72649bca4224394b8f08d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b6d739e9e98ba17296b0be8fcfc4813c3b67680746e72649bca4224394b8f08d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/integration-tests.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/playwright:v1.40.0-jammy` not pinned by digest: `FROM mcr.microsoft.com/playwright:v1.40.0-jammy` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83967, "scanner": "repobility-supply-chain", "fingerprint": "5a1f63d56813015fdb9ddd29a9f01977c285f66db7b073e4cf18b1ab8df15cd0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a1f63d56813015fdb9ddd29a9f01977c285f66db7b073e4cf18b1ab8df15cd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/docker/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83966, "scanner": "repobility-supply-chain", "fingerprint": "fe76cd03dbce0aa2b41f536ab402c0ec8fff0daea7e39d5ea4c70e240c1b9ab0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe76cd03dbce0aa2b41f536ab402c0ec8fff0daea7e39d5ea4c70e240c1b9ab0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/docker/Dockerfile"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83965, "scanner": "repobility-supply-chain", "fingerprint": "cdb76ac8247fbd632525233283d77c061c3330932e93a3b465eef524dc67cc3c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cdb76ac8247fbd632525233283d77c061c3330932e93a3b465eef524dc67cc3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/docker/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83964, "scanner": "repobility-supply-chain", "fingerprint": "98cb1b55fc411a3893135ae7215a13c9205fb36eeff825db5bf36cc59de52979", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98cb1b55fc411a3893135ae7215a13c9205fb36eeff825db5bf36cc59de52979"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/docker/Dockerfile.headless"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83963, "scanner": "repobility-supply-chain", "fingerprint": "bd2ab071c1ad6c64a3e44f593853b1de8623a81d87dd9d2e4603abd1a0113e10", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd2ab071c1ad6c64a3e44f593853b1de8623a81d87dd9d2e4603abd1a0113e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/docker/Dockerfile.headless"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83962, "scanner": "repobility-supply-chain", "fingerprint": "7008942be05e553d11eae1134299c13e7c6c2830b85bad3e162369129f5d92fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7008942be05e553d11eae1134299c13e7c6c2830b85bad3e162369129f5d92fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/docker/Dockerfile.full"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83961, "scanner": "repobility-supply-chain", "fingerprint": "c9f3bfa205b34c16a0e77123752160fd1950c91abfd0c472e6a2771b63b007c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c9f3bfa205b34c16a0e77123752160fd1950c91abfd0c472e6a2771b63b007c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/docker/Dockerfile.full"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83960, "scanner": "repobility-supply-chain", "fingerprint": "b3d41ad5b57cab4c5b588473480a429e750882d441aed0bce98663fc90ecd378", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b3d41ad5b57cab4c5b588473480a429e750882d441aed0bce98663fc90ecd378"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/docker/Dockerfile.appliance"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83959, "scanner": "repobility-supply-chain", "fingerprint": "19824c4f51136191d399f7c5926142fbf3a577c98030464fd15cc92bb3024b81", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|19824c4f51136191d399f7c5926142fbf3a577c98030464fd15cc92bb3024b81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/docker/Dockerfile.appliance"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml` pinned to mutable ref `@main`: `uses: huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83957, "scanner": "repobility-supply-chain", "fingerprint": "5f5fc9807d254094d74d6ca1cb1f02645855f7d67205e0290530c990415e9327", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f5fc9807d254094d74d6ca1cb1f02645855f7d67205e0290530c990415e9327"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/upload-pr-documentation.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rlespinasse/github-slug-action` pinned to mutable ref `@v4.5.0`: `uses: rlespinasse/github-slug-action@v4.5.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83954, "scanner": "repobility-supply-chain", "fingerprint": "bcf7044d0020fed1df46b62a24d593019a1c5db90fd291459d874e4871dd2c39", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bcf7044d0020fed1df46b62a24d593019a1c5db90fd291459d874e4871dd2c39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/deploy-dev.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83953, "scanner": "repobility-supply-chain", "fingerprint": "ad0f0d3559cb5aa0504829da803eeab91df260e400302192c61fbcfe3a8bc156", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad0f0d3559cb5aa0504829da803eeab91df260e400302192c61fbcfe3a8bc156"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/deploy-dev.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `huggingface/doc-builder/.github/workflows/build_pr_documentation.yml` pinned to mutable ref `@main`: `uses: huggingface/doc-builder/.github/workflows/build_pr_documentation.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83952, "scanner": "repobility-supply-chain", "fingerprint": "4bc8855076c28b253b05e1d1c8ff7cd4e43ea1aa13ac3a81118e65bb9c53a011", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4bc8855076c28b253b05e1d1c8ff7cd4e43ea1aa13ac3a81118e65bb9c53a011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/build-pr-docs.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83951, "scanner": "repobility-supply-chain", "fingerprint": "f631a8e12ecbb8771876a641525a9dc75de3ef932d3abfaa27ce999930e734dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f631a8e12ecbb8771876a641525a9dc75de3ef932d3abfaa27ce999930e734dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/slugify.yaml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rlespinasse/github-slug-action` pinned to mutable ref `@v4.5.0`: `uses: rlespinasse/github-slug-action@v4.5.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83950, "scanner": "repobility-supply-chain", "fingerprint": "ae14abc0a993a0a71c808bfdd3c322cbea5adfe8dfa153d93efe7129d6da492e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae14abc0a993a0a71c808bfdd3c322cbea5adfe8dfa153d93efe7129d6da492e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/build-image.yml"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83949, "scanner": "repobility-supply-chain", "fingerprint": "e38e09a601172ae4022e913030c875b9034360cdfc968f1a2b131dd38289937f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e38e09a601172ae4022e913030c875b9034360cdfc968f1a2b131dd38289937f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/build-image.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rlespinasse/github-slug-action` pinned to mutable ref `@v4.5.0`: `uses: rlespinasse/github-slug-action@v4.5.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83948, "scanner": "repobility-supply-chain", "fingerprint": "e26b8b1d99ea7cb27319174289d4323fc9bf7d32f091a3b0f91ef719ea6cbbee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e26b8b1d99ea7cb27319174289d4323fc9bf7d32f091a3b0f91ef719ea6cbbee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/build-image.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83947, "scanner": "repobility-supply-chain", "fingerprint": "90d2f7252f2b942c201ae4af591bf80dab986df314f03b14f225fad7c19d4413", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|90d2f7252f2b942c201ae4af591bf80dab986df314f03b14f225fad7c19d4413"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/build-image.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `trufflesecurity/trufflehog` pinned to mutable ref `@main`: `uses: trufflesecurity/trufflehog@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83946, "scanner": "repobility-supply-chain", "fingerprint": "c906c17639ed2486ad7303502eaf7c36032e87163b655483d16c725a3a9cc47c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c906c17639ed2486ad7303502eaf7c36032e87163b655483d16c725a3a9cc47c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/trufflehog.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83945, "scanner": "repobility-supply-chain", "fingerprint": "8cc0c66574829817d68e21596c5268c76cec911d5911880ce6cf1163405ae3c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8cc0c66574829817d68e21596c5268c76cec911d5911880ce6cf1163405ae3c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/trufflehog.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83944, "scanner": "repobility-supply-chain", "fingerprint": "96db6829264f2e1f79cd1cfd886fff0d87cd035cd31192ac555906d542df70af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|96db6829264f2e1f79cd1cfd886fff0d87cd035cd31192ac555906d542df70af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/lint-and-test.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83943, "scanner": "repobility-supply-chain", "fingerprint": "88efc2032c3ba955cc6d9c502ee2f1f4baa95069d3004cfc5afcef5facc73b59", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88efc2032c3ba955cc6d9c502ee2f1f4baa95069d3004cfc5afcef5facc73b59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/lint-and-test.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83942, "scanner": "repobility-supply-chain", "fingerprint": "7c701bbad8a10b5546e1329466e11a8c3487abfcffbee9118b2807acc5e941a8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c701bbad8a10b5546e1329466e11a8c3487abfcffbee9118b2807acc5e941a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/lint-and-test.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83941, "scanner": "repobility-supply-chain", "fingerprint": "c2cc578b71a2b744beda03c30d03722f1e300b808a7334262fe02ca3185cb2f1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c2cc578b71a2b744beda03c30d03722f1e300b808a7334262fe02ca3185cb2f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/lint-and-test.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83940, "scanner": "repobility-supply-chain", "fingerprint": "52bf0a1509f016f38b941b4cfe6bf8a7fa9939440a6e8eacd0b6c7acd612c09d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|52bf0a1509f016f38b941b4cfe6bf8a7fa9939440a6e8eacd0b6c7acd612c09d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/lint-and-test.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `huggingface/doc-builder/.github/workflows/build_main_documentation.yml` pinned to mutable ref `@main`: `uses: huggingface/doc-builder/.github/workflows/build_main_documentation.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83939, "scanner": "repobility-supply-chain", "fingerprint": "9d6582dcc0eab83efba13ede7562bf833b1d158dfe2f5a1255e36d7c192eb2ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d6582dcc0eab83efba13ede7562bf833b1d158dfe2f5a1255e36d7c192eb2ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/build-docs.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aurelien-baudet/workflow-dispatch` pinned to mutable ref `@v2`: `uses: aurelien-baudet/workflow-dispatch@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83938, "scanner": "repobility-supply-chain", "fingerprint": "2ffa8b9446100fa9cf60e355f30afe2501c3a5631df95b69bd3274160a0e04ed", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ffa8b9446100fa9cf60e355f30afe2501c3a5631df95b69bd3274160a0e04ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/deploy-prod.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rlespinasse/github-slug-action` pinned to mutable ref `@v4.5.0`: `uses: rlespinasse/github-slug-action@v4.5.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83937, "scanner": "repobility-supply-chain", "fingerprint": "2b4f036fda84e53b95b4d9f86ffabef0f75ea15de78a294007f1cc66deb50234", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b4f036fda84e53b95b4d9f86ffabef0f75ea15de78a294007f1cc66deb50234"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/deploy-prod.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rlespinasse/github-slug-action` pinned to mutable ref `@v4.5.0`: `uses: rlespinasse/github-slug-action@v4.5.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83936, "scanner": "repobility-supply-chain", "fingerprint": "257499edb792d1ede6546bc40aafada9c31b9f08d250d2350af54c0321d6e684", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|257499edb792d1ede6546bc40aafada9c31b9f08d250d2350af54c0321d6e684"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/deploy-prod.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 83935, "scanner": "repobility-supply-chain", "fingerprint": "3e2f8e4e0f949080a9f0ec3a0278c1debcf14b3499db90a3221d656d70e7f189", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e2f8e4e0f949080a9f0ec3a0278c1debcf14b3499db90a3221d656d70e7f189"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/deploy-prod.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/typescript-node:1-22-bookworm` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/typescript-node:1-22-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83934, "scanner": "repobility-supply-chain", "fingerprint": "6945e65fa53ab8ed451dc1b5b03a3ad2036b4691588bc751744b5afa4126a9b7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6945e65fa53ab8ed451dc1b5b03a3ad2036b4691588bc751744b5afa4126a9b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-slim` not pinned by digest: `FROM node:20-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83933, "scanner": "repobility-supply-chain", "fingerprint": "57be04946211517b24f048173973e44799b43be4f8ad114eb820608272dfa7b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57be04946211517b24f048173973e44799b43be4f8ad114eb820608272dfa7b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/mcp-bridge/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mongo:7` not pinned by digest: `FROM mongo:7` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83932, "scanner": "repobility-supply-chain", "fingerprint": "84d4e9a7efa14125a9f5d248e16e7b55e73b24e7e5b03e48aaba3774affe7419", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|84d4e9a7efa14125a9f5d248e16e7b55e73b24e7e5b03e48aaba3774affe7419"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/Dockerfile"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24` not pinned by digest: `FROM node:24` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83931, "scanner": "repobility-supply-chain", "fingerprint": "29ad5474ae12615d5489c147f6fe582b1b074675c1932da4172f61df748dad3f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|29ad5474ae12615d5489c147f6fe582b1b074675c1932da4172f61df748dad3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-slim` not pinned by digest: `FROM node:24-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83930, "scanner": "repobility-supply-chain", "fingerprint": "2e4f70631e8c451b97f41c687574f7808d609aaa502ecdbcf57222364251180f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e4f70631e8c451b97f41c687574f7808d609aaa502ecdbcf57222364251180f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `nginx:1.27-alpine` not pinned by digest: `FROM nginx:1.27-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83929, "scanner": "repobility-supply-chain", "fingerprint": "f19d43f5d40b4e6ac0bdc2062832fac2fa06d3fa4330144e7ea1c5401ae38910", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f19d43f5d40b4e6ac0bdc2062832fac2fa06d3fa4330144e7ea1c5401ae38910"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/nginx/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-slim` not pinned by digest: `FROM node:20-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83928, "scanner": "repobility-supply-chain", "fingerprint": "cc52d4aae0e4d3510f0aacb6d341d59a721decdafb6a7dea0bfec52232fa117e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc52d4aae0e4d3510f0aacb6d341d59a721decdafb6a7dea0bfec52232fa117e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/mcp-bridge/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ghcr.io/huggingface/chat-ui-db:latest` not pinned by digest: `FROM ghcr.io/huggingface/chat-ui-db:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83927, "scanner": "repobility-supply-chain", "fingerprint": "c6573831406d4a9e6c3ff3f30a466740df8ee23bc906662745792e431372bb63", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c6573831406d4a9e6c3ff3f30a466740df8ee23bc906662745792e431372bb63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/chat-ui/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-bookworm` not pinned by digest: `FROM node:20-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 83926, "scanner": "repobility-supply-chain", "fingerprint": "383256a1ce7bdac93a2a050ab78dcfaf814e9be06e232efdf2cf29fd7fbc5b71", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|383256a1ce7bdac93a2a050ab78dcfaf814e9be06e232efdf2cf29fd7fbc5b71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /chat/completions has no auth: Express route POST /chat/completions declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 83925, "scanner": "repobility-route-auth", "fingerprint": "7bc5d739ad9624c086143eb34f6a135aed9bc22bb61eb48a126b1f44b799b84f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7bc5d739ad9624c086143eb34f6a135aed9bc22bb61eb48a126b1f44b799b84f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/mcp-bridge/index.js"}, "region": {"startLine": 1742}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 83924, "scanner": "repobility-route-auth", "fingerprint": "6f074923466b39a9572a5ae8b83975bb8f6d9c6b994f7a96b3e492dd0849648e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6f074923466b39a9572a5ae8b83975bb8f6d9c6b994f7a96b3e492dd0849648e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/mcp-bridge/index.js"}, "region": {"startLine": 1102}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /chat/completions has no auth: Express route POST /chat/completions declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 83923, "scanner": "repobility-route-auth", "fingerprint": "e6518fb98a9fc255586dc9d6cbf2ad0a21408be935e071d7a9ed2f814c3ee386", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e6518fb98a9fc255586dc9d6cbf2ad0a21408be935e071d7a9ed2f814c3ee386"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/mcp-bridge/index.js"}, "region": {"startLine": 1537}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 83922, "scanner": "repobility-route-auth", "fingerprint": "b4ace3586ae0def9e40338867000363cb1c730662e33c7fac72234fe6d3ddd06", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b4ace3586ae0def9e40338867000363cb1c730662e33c7fac72234fe6d3ddd06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/mcp-bridge/index.js"}, "region": {"startLine": 926}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 83921, "scanner": "repobility-route-auth", "fingerprint": "8d5f5afb7a1eba17f030daf236fcfd069713c9e4710364f82123e07e699bdcfe", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8d5f5afb7a1eba17f030daf236fcfd069713c9e4710364f82123e07e699bdcfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/shared/src/mcp/transport/http.ts"}, "region": {"startLine": 306}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /rpc has no auth: Express route POST /rpc declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 83920, "scanner": "repobility-route-auth", "fingerprint": "72f2563d14396824e914df390080ad13d069e483fbda51cb82172c7b70c652d9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|72f2563d14396824e914df390080ad13d069e483fbda51cb82172c7b70c652d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/shared/src/mcp/transport/http.ts"}, "region": {"startLine": 301}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 83919, "scanner": "repobility-route-auth", "fingerprint": "9d835ca92a788a34f62a67d98ec38b89cc958121bccd2effd8d0cbf812518dd8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9d835ca92a788a34f62a67d98ec38b89cc958121bccd2effd8d0cbf812518dd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/mcp/src/transport/http.ts"}, "region": {"startLine": 249}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /rpc has no auth: Express route POST /rpc declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 83918, "scanner": "repobility-route-auth", "fingerprint": "a2794fc80a17a967f61291bca8cce3b1c035622d914e954a5d3a38941e401cb2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a2794fc80a17a967f61291bca8cce3b1c035622d914e954a5d3a38941e401cb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/mcp/src/transport/http.ts"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 83917, "scanner": "repobility-route-auth", "fingerprint": "978c7ae36653ebc252f60da07ea2dad629dfe8fb6444b03d1b1274da35c00258", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|978c7ae36653ebc252f60da07ea2dad629dfe8fb6444b03d1b1274da35c00258"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/mcp/transport/http.ts"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /rpc has no auth: Express route POST /rpc declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 83916, "scanner": "repobility-route-auth", "fingerprint": "936e2b19068d62d53511605bf6898746981fe46164c41a660eba81c87f82f6c0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|936e2b19068d62d53511605bf6898746981fe46164c41a660eba81c87f82f6c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/mcp/transport/http.ts"}, "region": {"startLine": 275}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 83877, "scanner": "repobility-docker", "fingerprint": "3b9ff34b3d065e583f213ea49127b19ab43b384679f7bb854ee456d93bf55adf", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${LOCAL_MONGO_PORT:-27017}:27017", "target": "27017", "host_ip": "${LOCAL_MONGO_PORT", "published": "-27017}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mongo", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|3b9ff34b3d065e583f213ea49127b19ab43b384679f7bb854ee456d93bf55adf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 83868, "scanner": "repobility-docker", "fingerprint": "0eb9ce178587999cbc00b439370843308f5893a5ba510a82963bb79e17ba8ff8", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "27017:27017", "target": "27017", "host_ip": "", "published": "27017"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mongodb", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|0eb9ce178587999cbc00b439370843308f5893a5ba510a82963bb79e17ba8ff8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/docker-compose.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 83865, "scanner": "repobility-docker", "fingerprint": "b44abad676e763fac02a8f05623c661fe4e13ab896a4e319844c1532ced05cc2", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b44abad676e763fac02a8f05623c661fe4e13ab896a4e319844c1532ced05cc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/docker/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 83863, "scanner": "repobility-docker", "fingerprint": "e936334a6d3d00b28ea05ce3a02545ef394a05f43123441a9a2049f33748afb7", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|e936334a6d3d00b28ea05ce3a02545ef394a05f43123441a9a2049f33748afb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker-regression/Dockerfile"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 83859, "scanner": "repobility-docker", "fingerprint": "d66ce32539fda695a6e46ef7e2eea346c070ce7d56ca4a6fbdd2769f2a062544", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d66ce32539fda695a6e46ef7e2eea346c070ce7d56ca4a6fbdd2769f2a062544"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/Dockerfile"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 83824, "scanner": "repobility-threat-engine", "fingerprint": "7ec27049f45087c7eeae18180abc84eb717b2b5c846e98e0c05d6ac4b991f67a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7ec27049f45087c7eeae18180abc84eb717b2b5c846e98e0c05d6ac4b991f67a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/goal_ui/vite.config.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 83823, "scanner": "repobility-threat-engine", "fingerprint": "d4c712d7d3fbb50c3191c964156dd541aaf7faacb38c3fa384bee5a665d35954", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d4c712d7d3fbb50c3191c964156dd541aaf7faacb38c3fa384bee5a665d35954"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/goal_ui/supabase/functions/generate-research-goal/index.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 83822, "scanner": "repobility-threat-engine", "fingerprint": "b8bba67c1c1a1bc8aa9f20f7d2c7c6e241fdbee041b7adf4540c8b2e653fd7ae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b8bba67c1c1a1bc8aa9f20f7d2c7c6e241fdbee041b7adf4540c8b2e653fd7ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/goal_ui/supabase/functions/generate-action-items/index.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 83815, "scanner": "repobility-threat-engine", "fingerprint": "68f271262751a13402b975e135458c2908a155f7a96cff8c75636f328f18bbf3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|68f271262751a13402b975e135458c2908a155f7a96cff8c75636f328f18bbf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/shared/src/resilience/rate-limiter.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 83814, "scanner": "repobility-threat-engine", "fingerprint": "54ad67993b09579a8e25a9fbe2ca6fb5852ee1943cfe09c87aa789f9b4792937", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|54ad67993b09579a8e25a9fbe2ca6fb5852ee1943cfe09c87aa789f9b4792937"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/plugins/teammate-plugin/src/utils/circuit-breaker.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 83813, "scanner": "repobility-threat-engine", "fingerprint": "d37a694cec50dc2a02a83abf335ee2cb0b800f37e248465be2e4ef970dc83376", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d37a694cec50dc2a02a83abf335ee2cb0b800f37e248465be2e4ef970dc83376"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/shared/src/events/state-reconstructor.ts"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 83808, "scanner": "repobility-threat-engine", "fingerprint": "a67b42c3a0ff86da606c063bbeb2d133cfee0b6ee77043a47f488bab715c9e30", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a67b42c3a0ff86da606c063bbeb2d133cfee0b6ee77043a47f488bab715c9e30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/guidance/wasm-kernel/src/gates.rs"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 83806, "scanner": "repobility-threat-engine", "fingerprint": "c5102c36ed18191a78ad0b0a99eb05e3d5c98325ce77143af6129def49a8f5ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c5102c36ed18191a78ad0b0a99eb05e3d5c98325ce77143af6129def49a8f5ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/plugins/gastown-bridge/wasm/gastown-formula-wasm/src/cooker.rs"}, "region": {"startLine": 317}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 83805, "scanner": "repobility-threat-engine", "fingerprint": "b494659deac4a262764d1d31e498a222dbbf598e002a4078814e64c967873dd9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b494659deac4a262764d1d31e498a222dbbf598e002a4078814e64c967873dd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/guidance/wasm-kernel/src/scoring.rs"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 83804, "scanner": "repobility-threat-engine", "fingerprint": "564126f5c59eec57afa168d881c8fba62607057fc5b4f8d86f68fcc47ca1c3e2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|564126f5c59eec57afa168d881c8fba62607057fc5b4f8d86f68fcc47ca1c3e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/guidance/wasm-kernel/src/gates.rs"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 83788, "scanner": "repobility-threat-engine", "fingerprint": "1648ce84eb2c588f389fc85fb64d494d75b10594baa58fa4a4afc7fa9000b931", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1648ce84eb2c588f389fc85fb64d494d75b10594baa58fa4a4afc7fa9000b931"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/src/benchmarks/gaia-convergence.ts"}, "region": {"startLine": 326}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 83787, "scanner": "repobility-threat-engine", "fingerprint": "7ef4fdca0eb75fafc6fcccd380105dff224f69b416c50d0736ccfb43a8348b8e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7ef4fdca0eb75fafc6fcccd380105dff224f69b416c50d0736ccfb43a8348b8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/src/infrastructure/causal-recovery-store.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 83786, "scanner": "repobility-threat-engine", "fingerprint": "da8f0aff16428b83e008e75c2e1c73919039888915df31014a48bace9ae90815", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|da8f0aff16428b83e008e75c2e1c73919039888915df31014a48bace9ae90815"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/src/application/cookie-vault-service.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 83784, "scanner": "repobility-threat-engine", "fingerprint": "4ccd13d8cc47dc7407efd5fa2f8bb30b43f833437b36a634683f082c7cfef338", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4ccd13d8cc47dc7407efd5fa2f8bb30b43f833437b36a634683f082c7cfef338"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/install.sh"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 83756, "scanner": "repobility-threat-engine", "fingerprint": "b19fd813855a0bfc58b30208e7623c57f2bebe416881de3d1194dd7132492930", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b19fd813855a0bfc58b30208e7623c57f2bebe416881de3d1194dd7132492930"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-cost-tracker/scripts/compact.mjs"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 83755, "scanner": "repobility-threat-engine", "fingerprint": "b1c96692eefe1514733c3d151629364c4df7e21f248c9ab6affa15c1ac0618b6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b1c96692eefe1514733c3d151629364c4df7e21f248c9ab6affa15c1ac0618b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-core/scripts/witness/regen.mjs"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 83754, "scanner": "repobility-threat-engine", "fingerprint": "aef2fe24bcadd2fff121aebc04c7e839d8a891fed723b7b12aff30fd7bf28f6b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aef2fe24bcadd2fff121aebc04c7e839d8a891fed723b7b12aff30fd7bf28f6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-core/scripts/witness/perf.mjs"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 83752, "scanner": "repobility-threat-engine", "fingerprint": "06ff37bb007f0362d64de51528d3ee9573694f23070f13a0545aa5396e073c6c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "h.update(graphId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|06ff37bb007f0362d64de51528d3ee9573694f23070f13a0545aa5396e073c6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-graph-intelligence/src/adapters/browser-causal-adapter.ts"}, "region": {"startLine": 167}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 83751, "scanner": "repobility-threat-engine", "fingerprint": "d023123f779db5dea9182bf4407673d3b73991138ddac56adb1906ab1c269771", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "h.update(graphId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d023123f779db5dea9182bf4407673d3b73991138ddac56adb1906ab1c269771"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-graph-intelligence/src/adapters/aidefence-suspicion-adapter.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 83750, "scanner": "repobility-threat-engine", "fingerprint": "88a555f5b8ada01e0bbc33b15b42447e4ec240eecb2194254412f2af370139dc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "stack.delete(node);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|88a555f5b8ada01e0bbc33b15b42447e4ec240eecb2194254412f2af370139dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-adr/scripts/verify.mjs"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 83738, "scanner": "repobility-threat-engine", "fingerprint": "92dc45086dc08a8ca5ca0921c52d706c6807846bc85bd48566ed66659ea5ff10", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `${k}:${v}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|92dc45086dc08a8ca5ca0921c52d706c6807846bc85bd48566ed66659ea5ff10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/claims/src/infrastructure/vector-clock.ts"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 83737, "scanner": "repobility-threat-engine", "fingerprint": "bb28d700d7c9774d4a41809275b5af7bfa53c8793e154c0f5af3fc795a53f077", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([c, n]) => `${c}=${n} (${labels[c] || c}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bb28d700d7c9774d4a41809275b5af7bfa53c8793e154c0f5af3fc795a53f077"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/audit-plugin-packages.mjs"}, "region": {"startLine": 205}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 83736, "scanner": "repobility-threat-engine", "fingerprint": "fca387a18f7c6dac22ed449e474552385d7e5bc2153fb73badb6f16d51a95973", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((f) => `[${r.dimension}] ${f}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fca387a18f7c6dac22ed449e474552385d7e5bc2153fb73badb6f16d51a95973"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/workflows/full-system-test.js"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 83734, "scanner": "repobility-threat-engine", "fingerprint": "5d7ba7ab0ca6cb7a93906491379e055464f256d62237413fa30a7e9249793884", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d7ba7ab0ca6cb7a93906491379e055464f256d62237413fa30a7e9249793884"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/src/production/error-handler.ts"}, "region": {"startLine": 354}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 83733, "scanner": "repobility-threat-engine", "fingerprint": "6ca578ef87b59c1560baf8fe09d3d4e36bb1db69f70f333ed8b1f95f36c2c797", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(matcherPattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6ca578ef87b59c1560baf8fe09d3d4e36bb1db69f70f333ed8b1f95f36c2c797"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/smoke-windows-hook-execution.mjs"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 83732, "scanner": "repobility-threat-engine", "fingerprint": "8f34a865357859ea2226031262032533b78311f3d0b9f80801e04e167a38f739", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8f34a865357859ea2226031262032533b78311f3d0b9f80801e04e167a38f739"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/router.cjs"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED104", "level": "error", "message": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "properties": {"repobilityId": 83719, "scanner": "repobility-threat-engine", "fingerprint": "1656619b86c4f8bde94df3ac6ecee30620ae451ad9ed527d7b91dcdcfb1daa7a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "chmod-777", "owasp": "A05:2021", "cwe_ids": ["CWE-732", "CWE-276"], "languages": ["shell", "bash", "dockerfile"], "precision": 1.0, "promoted_at": "2026-05-19T13:00:00.000000+00:00", "triaged_in_corpus": 0, "observations_count": 0, "ai_coder_pattern_id": 47}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1656619b86c4f8bde94df3ac6ecee30620ae451ad9ed527d7b91dcdcfb1daa7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/mcp/.claude/helpers/guidance-hooks.sh"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED104", "level": "error", "message": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "properties": {"repobilityId": 83718, "scanner": "repobility-threat-engine", "fingerprint": "9151bec353e5a965e1296ffd2aee6d30857b8defa07730aa912e8303fe0b7af2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "chmod-777", "owasp": "A05:2021", "cwe_ids": ["CWE-732", "CWE-276"], "languages": ["shell", "bash", "dockerfile"], "precision": 1.0, "promoted_at": "2026-05-19T13:00:00.000000+00:00", "triaged_in_corpus": 0, "observations_count": 0, "ai_coder_pattern_id": 47}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9151bec353e5a965e1296ffd2aee6d30857b8defa07730aa912e8303fe0b7af2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/cli/.claude/helpers/guidance-hooks.sh"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED104", "level": "error", "message": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "properties": {"repobilityId": 83717, "scanner": "repobility-threat-engine", "fingerprint": "7981b5d79d5e08652740535b1197b1ceb1e9ec3177ed8b7c63204567dc11a6e9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "chmod-777", "owasp": "A05:2021", "cwe_ids": ["CWE-732", "CWE-276"], "languages": ["shell", "bash", "dockerfile"], "precision": 1.0, "promoted_at": "2026-05-19T13:00:00.000000+00:00", "triaged_in_corpus": 0, "observations_count": 0, "ai_coder_pattern_id": 47}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7981b5d79d5e08652740535b1197b1ceb1e9ec3177ed8b7c63204567dc11a6e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/guidance-hooks.sh"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 83703, "scanner": "repobility-threat-engine", "fingerprint": "f2a479b5c7f50d98a39e428c30b4473921eaf284b0bcef258e007f00fd954e1e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f2a479b5c7f50d98a39e428c30b4473921eaf284b0bcef258e007f00fd954e1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ruflo-adr/scripts/import.mjs"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 83702, "scanner": "repobility-threat-engine", "fingerprint": "7b1124b0a83dd003562063b68387c9119afac03d8fceff7dd8942fa69798d4c5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(\n      process", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7b1124b0a83dd003562063b68387c9119afac03d8fceff7dd8942fa69798d4c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugin/scripts/ruflo-hook.cjs"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 83701, "scanner": "repobility-threat-engine", "fingerprint": "f5a7f314292576cf06bcb87e4a86227aa544d1b9f67db016f13264d37f67f294", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(\n      process", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f5a7f314292576cf06bcb87e4a86227aa544d1b9f67db016f13264d37f67f294"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude-plugin/scripts/ruflo-hook.cjs"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED123", "level": "error", "message": {"text": "[MINED123] Trojan Source bidi character (LRE) in source: Line 183 contains a Unicode bidirectional override character (U+202A LRE). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see different code than the human reviewer."}, "properties": {"repobilityId": 83973, "scanner": "repobility-supply-chain", "fingerprint": "00fe6cf16bc87b1355443a4ff821d4f2ac9dfb02cfe4e1243837ef2ae5e4c058", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"mined": true, "mining": {"slug": "trojan-source-bidi", "owasp": null, "cwe_ids": ["CWE-1007"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "vuln||CVE-2021-42574|v3/ token", "duplicate_count": 1, "duplicate_rule_ids": ["MINED123"], "duplicate_scanners": ["repobility-supply-chain"], "duplicate_fingerprints": ["00fe6cf16bc87b1355443a4ff821d4f2ac9dfb02cfe4e1243837ef2ae5e4c058", "54b9f9b6c6bd6375e865f91a996fe6295c66378da92bfcceaf786e3b4561f53c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/security/src/tool-output-guardrail.ts"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NPM_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NPM_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 83972, "scanner": "repobility-supply-chain", "fingerprint": "a92d2e7a16c99847d97e4c620ab47a2649be3a1541f90a06ed809056b20b1b83", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a92d2e7a16c99847d97e4c620ab47a2649be3a1541f90a06ed809056b20b1b83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/v3-ci.yml"}, "region": {"startLine": 2114}}}]}, {"ruleId": "MINED120", "level": "error", "message": {"text": "[MINED120] package.json `scripts.postinstall` runs network/exec on install: `scripts.postinstall: node -e \"const{execSync}=require('child_process');try{execSync('agent-browser --version',{stdio:'ignore'});}catch{consol` runs during `npm install` on every developer's machine and in every CI build. Common crypto-miner / data-exfiltration vector. Even when intentional, the hook should be reviewed and pinned."}, "properties": {"repobilityId": 83958, "scanner": "repobility-supply-chain", "fingerprint": "b31a8b8d74c52a1dede16aaf1449eee5203838589be02a5f0f4e551a5b85c4b0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-postinstall-hook", "owasp": "A08:2021", "cwe_ids": ["CWE-506"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b31a8b8d74c52a1dede16aaf1449eee5203838589be02a5f0f4e551a5b85c4b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/browser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 83956, "scanner": "repobility-supply-chain", "fingerprint": "ca70998664a680f2b50e32f323d9546fc6b9cf7236b6f3f59b828a43baecb636", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca70998664a680f2b50e32f323d9546fc6b9cf7236b6f3f59b828a43baecb636"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/deploy-dev.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 83955, "scanner": "repobility-supply-chain", "fingerprint": "5eb70cde8a49bbf24f8d910f1e62f7f2dc6bfdf9da520ae5798e1d453ab329aa", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5eb70cde8a49bbf24f8d910f1e62f7f2dc6bfdf9da520ae5798e1d453ab329aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/.github/workflows/deploy-dev.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 83811, "scanner": "repobility-threat-engine", "fingerprint": "4d5cb7a44c754f4c520f3d5faebcf26270840e2cf7fce07df416b24d26f83e41", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.0 bits) \u2014 likely real secret", "evidence": {"match": "PASSWORD=\"<redacted>}\"", "reason": "High entropy value (4.0 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|v3/ token|32|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/security/src/credential-generator.ts"}, "region": {"startLine": 324}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 83810, "scanner": "repobility-threat-engine", "fingerprint": "a43a1590463a946e796d3fdf1f28f9db5c7ddc667aaf3ec1ad975574a275ea7d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a43a1590463a946e796d3fdf1f28f9db5c7ddc667aaf3ec1ad975574a275ea7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v3/@claude-flow/plugin-agent-federation/src/transport/midstream-aware-loader.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 83778, "scanner": "repobility-threat-engine", "fingerprint": "a1a3142c08d24b1a7a1512eb955fb65a36614db514ef797f1e8b179c546bc812", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a1a3142c08d24b1a7a1512eb955fb65a36614db514ef797f1e8b179c546bc812"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/smoke-workflows-yaml.mjs"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 83777, "scanner": "repobility-threat-engine", "fingerprint": "244210782e6414b69e564bfa9a070939f84b81015e3abce083d81c516e6384ce", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|244210782e6414b69e564bfa9a070939f84b81015e3abce083d81c516e6384ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/scripts/updateLocalEnv.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 83776, "scanner": "repobility-threat-engine", "fingerprint": "f99e4dfa5f8d48731e5e6e648d84bfe24e738b0b9620dc9ae34d703ccc4ab9d5", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|40|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/smoke-workflows-yaml.mjs"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 83775, "scanner": "repobility-threat-engine", "fingerprint": "89396cfebbf0de76f78702a3cd49f49796140e1ebc6b910c7460c16d41e3d954", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|7|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/scripts/updateLocalEnv.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 83774, "scanner": "repobility-threat-engine", "fingerprint": "049bf227a9e79d24cadac71adb896e20c96d0f8c94c68895772ce3624750d356", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(readFileSync(full, 'utf8')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|049bf227a9e79d24cadac71adb896e20c96d0f8c94c68895772ce3624750d356"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/smoke-workflows-yaml.mjs"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 83773, "scanner": "repobility-threat-engine", "fingerprint": "881e5d8debe73a642d596583d6cce92207b8b2565520552e8cbdb3b7d08492db", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(file)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|881e5d8debe73a642d596583d6cce92207b8b2565520552e8cbdb3b7d08492db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ruflo/src/ruvocal/scripts/updateLocalEnv.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 83722, "scanner": "repobility-threat-engine", "fingerprint": "6a04069c993eb9727676527a6a88b30fe12d714a7ae374f45dbc77eaf23e47e2", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6a04069c993eb9727676527a6a88b30fe12d714a7ae374f45dbc77eaf23e47e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/smoke-router-regex.mjs"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 83721, "scanner": "repobility-threat-engine", "fingerprint": "14b40d3cae84f4bdb78d14f12fd57b14af90a99c89fe9dfd60c564f10fa33d3f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require($", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|14b40d3cae84f4bdb78d14f12fd57b14af90a99c89fe9dfd60c564f10fa33d3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/smoke-cli-npx-install.mjs"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 83720, "scanner": "repobility-threat-engine", "fingerprint": "9d1637122b3008cc2a07e90397cae28cff2c724f84bea074121c1c9ff580d9b5", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(modulePath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d1637122b3008cc2a07e90397cae28cff2c724f84bea074121c1c9ff580d9b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/helpers/hook-handler.cjs"}, "region": {"startLine": 20}}}]}]}]}