{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 23.1% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 23.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 23.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 569 lines (recommend <300)", "shortDescription": {"text": "Average file size is 569 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id])"}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AGT002", "name": "LLM memory extraction can be prompt-injected into storing fake facts", "shortDescription": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "fullDescription": {"text": "Strict-JSON memory extraction from raw user and assistant text can be manipulated by a user message unless extracted facts are schema-validated and filtered before persistence."}, "properties": {"scanner": "repobility-agent-runtime", "category": "llm_injection", "severity": "high", "confidence": 0.82, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/293"}, "properties": {"repository": "vivekchand/clawmetry", "repoUrl": "https://github.com/vivekchand/clawmetry", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 9244, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9243, "scanner": "repobility-journey-contract", "fingerprint": "80d53a06dd1597dd4330ff785e944dc3b932c5e0525270df2bf31ef5ae196ada", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/alerts/rules", "correlation_key": "fp|80d53a06dd1597dd4330ff785e944dc3b932c5e0525270df2bf31ef5ae196ada", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 145}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9242, "scanner": "repobility-journey-contract", "fingerprint": "da69b560c0895fedd7c1c766612f8872af62669ce88c7c29433f25c8273f00c7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/budget/resume", "correlation_key": "fp|da69b560c0895fedd7c1c766612f8872af62669ce88c7c29433f25c8273f00c7", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 125}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9241, "scanner": "repobility-journey-contract", "fingerprint": "fb8da879777a2d94329286cdfb32e80047931325d4217ceeb57d27f0ab6e577f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/budget/config", "correlation_key": "fp|fb8da879777a2d94329286cdfb32e80047931325d4217ceeb57d27f0ab6e577f", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 120}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9240, "scanner": "repobility-journey-contract", "fingerprint": "56cdf77971257e77ab04879f825f883fc4e07b7751e5a5cc464a57ecb94faf70", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/budget/status", "correlation_key": "fp|56cdf77971257e77ab04879f825f883fc4e07b7751e5a5cc464a57ecb94faf70", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 90}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9239, "scanner": "repobility-journey-contract", "fingerprint": "b7ac4c3386ad2c7c775fa36aee5a531043d3872b9bb3623ea127d05f0926acd6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/budget/config", "correlation_key": "fp|b7ac4c3386ad2c7c775fa36aee5a531043d3872b9bb3623ea127d05f0926acd6", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 79}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9238, "scanner": "repobility-journey-contract", "fingerprint": "9babe1011dd4f7e8e89eae7a9c5942ee556d53ec0278c429d331bf63dd1c0f6c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-proxy/api/alerts", "correlation_key": "fp|9babe1011dd4f7e8e89eae7a9c5942ee556d53ec0278c429d331bf63dd1c0f6c", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 444}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9237, "scanner": "repobility-journey-contract", "fingerprint": "429c62e0007747218247d71df2b132c39f9a53731a3afaa56d7a1d8efe8eda36", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-proxy/api/alerts", "correlation_key": "fp|429c62e0007747218247d71df2b132c39f9a53731a3afaa56d7a1d8efe8eda36", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 443}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9236, "scanner": "repobility-journey-contract", "fingerprint": "ac5b585db19eb16563ddb9b13244fe8599c5d2bfa954f73b10aef27bb3ee2128", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-proxy/api/alerts", "correlation_key": "fp|ac5b585db19eb16563ddb9b13244fe8599c5d2bfa954f73b10aef27bb3ee2128", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 285}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9235, "scanner": "repobility-journey-contract", "fingerprint": "35a8e16124af935e4538664c4fe9fc14becfba8feb176adc10f7922fd6a33dd1", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-proxy/api/channels", "correlation_key": "fp|35a8e16124af935e4538664c4fe9fc14becfba8feb176adc10f7922fd6a33dd1", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 128}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9234, "scanner": "repobility-journey-contract", "fingerprint": "54f6412a882ebe4518239d4adb621d4476d57fff5f446e1aa6eb3ae80b6c031a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/alerts/history", "correlation_key": "fp|54f6412a882ebe4518239d4adb621d4476d57fff5f446e1aa6eb3ae80b6c031a", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 112}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9233, "scanner": "repobility-journey-contract", "fingerprint": "704daf33ab4d69cd41619c3ad7be38ed0822f54451747379f9e0848d6d6d2596", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-proxy/api/alerts/history", "correlation_key": "fp|704daf33ab4d69cd41619c3ad7be38ed0822f54451747379f9e0848d6d6d2596", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 104}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9232, "scanner": "repobility-journey-contract", "fingerprint": "cb47474ce7ace925fd12b9e0ee14bab175dee365163dca5c13b41f971ff95634", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-proxy/api/alerts", "correlation_key": "fp|cb47474ce7ace925fd12b9e0ee14bab175dee365163dca5c13b41f971ff95634", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 92}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9231, "scanner": "repobility-journey-contract", "fingerprint": "a8ba0dd9ac23170acc812285744e3dafeced2be2bad889f227d60d9ebcb18114", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-proxy/api/cloud/account", "correlation_key": "fp|a8ba0dd9ac23170acc812285744e3dafeced2be2bad889f227d60d9ebcb18114", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 56}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9230, "scanner": "repobility-journey-contract", "fingerprint": "95508e820f732c16caa888ce1812a27f0a275ea0c39d3c59128ef82cc5b06b49", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cloud-cta/status", "correlation_key": "fp|95508e820f732c16caa888ce1812a27f0a275ea0c39d3c59128ef82cc5b06b49", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 54}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9229, "scanner": "repobility-journey-contract", "fingerprint": "5072feef6f25073617c912b7c866587b8d0d9ce7c2111c27dcc123a0f9494ca1", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/plugin/events", "correlation_key": "fp|5072feef6f25073617c912b7c866587b8d0d9ce7c2111c27dcc123a0f9494ca1", "backend_endpoint_count": 13}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawhub-plugin/src/service.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9228, "scanner": "repobility-journey-contract", "fingerprint": "f08cc0c87b78a42c8add40a5da2a204ef1dc0776b9dd52e8fca738a5b3e30959", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|8880|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 8880}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9227, "scanner": "repobility-journey-contract", "fingerprint": "56adcd419bd13472406372c2fd36b9f4794fdeffaffb887d81ad9e9b594bd185", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|8386|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 8386}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9226, "scanner": "repobility-journey-contract", "fingerprint": "f83029723da9be5c254b35f7f2f67603666c13a370b5e78d47fb71fbe2592164", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|8385|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 8385}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9225, "scanner": "repobility-journey-contract", "fingerprint": "6a0c52d55b40c93ea9dd083a91af99680e1523f94c904ab2fbb543e157ab50ad", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|8384|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 8384}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9224, "scanner": "repobility-journey-contract", "fingerprint": "82e4740680f6cdf672ac8f8e6dba54687afe93bd5e4e8494d14f8b3850e1a4d7", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|8094|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 8094}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9223, "scanner": "repobility-journey-contract", "fingerprint": "447cca3ef2e0ade51fb665e5d9d4ea0215bf5b50d251c92813e01a80b4303a4c", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|7898|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 7898}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9222, "scanner": "repobility-journey-contract", "fingerprint": "e1e6d3ac21eb3bcfabfecff177f746fe0a200b924fd475714b6ebe64dcff3240", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|5731|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 5731}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9221, "scanner": "repobility-journey-contract", "fingerprint": "946d1fc363e1ca56fa8749de421b775e6d374c6b3c2087377649d6fe3b2285e3", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|3171|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 3171}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9220, "scanner": "repobility-journey-contract", "fingerprint": "25c5380125d316e21ea541e918dbd8c6dc8ccc01696429534eb4160be0d7745e", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|3170|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 3170}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9219, "scanner": "repobility-journey-contract", "fingerprint": "a27de9a8fa280ea5d0d15755ee7fe9ec16ce41ee8d4c55defec706f70636666d", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|clawmetry/static/js/app.js|3169|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/app.js"}, "region": {"startLine": 3169}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 23.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 9218, "scanner": "repobility-access-control", "fingerprint": "25721e1726c6b6eab588613c2400fbc69db7a8eb7073595bab815cd9704eb92f", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 13, "correlation_key": "fp|25721e1726c6b6eab588613c2400fbc69db7a8eb7073595bab815cd9704eb92f", "auth_visible_percent": 23.1}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 9217, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Flask"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 9215, "scanner": "repobility-docker", "fingerprint": "d81054a6ece0a0dc1917f7ea8736be67dc15361d92288b06a29377b3b3ea5a93", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d81054a6ece0a0dc1917f7ea8736be67dc15361d92288b06a29377b3b3ea5a93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 9214, "scanner": "repobility-threat-engine", "fingerprint": "43a974d40bc851635780ae43507ebce6a51fe716ac18bc88fa36e283366e2046", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|43a974d40bc851635780ae43507ebce6a51fe716ac18bc88fa36e283366e2046"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/gw-setup.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 9211, "scanner": "repobility-threat-engine", "fingerprint": "bc60abc823d4a69a0bb61773e834dedb52cb296d5f0e6b72ab2f9054f06a7432", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                    pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bc60abc823d4a69a0bb61773e834dedb52cb296d5f0e6b72ab2f9054f06a7432"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/local_store.py"}, "region": {"startLine": 772}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 9210, "scanner": "repobility-threat-engine", "fingerprint": "feae44c5d3c30088923d4a39e3e9ec5023a556868b3b01274688afb1a7c3fa21", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|feae44c5d3c30088923d4a39e3e9ec5023a556868b3b01274688afb1a7c3fa21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/gateway_tap.py"}, "region": {"startLine": 387}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 9209, "scanner": "repobility-threat-engine", "fingerprint": "aca28600c7ba737618e7423802f6201ce84a2afba98c71c8cb62fa8081925dfb", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aca28600c7ba737618e7423802f6201ce84a2afba98c71c8cb62fa8081925dfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard_claudecode.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 9200, "scanner": "repobility-agent-runtime", "fingerprint": "76581d078afdb79fe070d5bf8256f4babb05c29bb6d97cfaf5d2a1e3713be00a", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|76581d078afdb79fe070d5bf8256f4babb05c29bb6d97cfaf5d2a1e3713be00a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install-clawmetry.sh"}, "region": {"startLine": 3}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 9199, "scanner": "repobility-agent-runtime", "fingerprint": "433ccbbbb099cea2bc3a7bbf538b244052c9175d72517cb1beaedacb94d3b7ae", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|433ccbbbb099cea2bc3a7bbf538b244052c9175d72517cb1beaedacb94d3b7ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/gw-setup.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 9198, "scanner": "repobility-agent-runtime", "fingerprint": "022f06296c8ed904503a8238725a4a7cd9d6d553bb05a0536478aaa494d5e145", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|022f06296c8ed904503a8238725a4a7cd9d6d553bb05a0536478aaa494d5e145"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/approvals.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 9197, "scanner": "repobility-agent-runtime", "fingerprint": "53115a4d55a71f9e6675b9c97c152e063cb64dc4f50be7d92046a154f083c268", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|53115a4d55a71f9e6675b9c97c152e063cb64dc4f50be7d92046a154f083c268"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawhub-plugin/uninstall.sh"}, "region": {"startLine": 96}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 9196, "scanner": "repobility-agent-runtime", "fingerprint": "acb8d54183f074986bebc3cc9121b477f822ed7f3e5556c847b6563a4e7be391", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|acb8d54183f074986bebc3cc9121b477f822ed7f3e5556c847b6563a4e7be391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawhub-plugin/README.md"}, "region": {"startLine": 18}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 9195, "scanner": "repobility-agent-runtime", "fingerprint": "236d1d7eca649783ecfb46e8471a9345878eaa9c47075203af5c94adbeda2ea8", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|236d1d7eca649783ecfb46e8471a9345878eaa9c47075203af5c94adbeda2ea8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 58}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 9194, "scanner": "repobility-agent-runtime", "fingerprint": "c4afedbdd351451dfdf3a051c55af61cab2792d2fe75aebc593215aa6ebc621f", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c4afedbdd351451dfdf3a051c55af61cab2792d2fe75aebc593215aa6ebc621f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CHANGELOG.md"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9193, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c63c1689dbc9d0f10dec29aa7520131493d7717c556b18ec3aafb8ce373066c8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "routes/heartbeat.py", "duplicate_line": 56, "correlation_key": "fp|c63c1689dbc9d0f10dec29aa7520131493d7717c556b18ec3aafb8ce373066c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/skills.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 569 lines (recommend <300)"}, "properties": {"repobilityId": 9192, "scanner": "repobility-core", "fingerprint": "611a72c929050963b6f5dd8fd0b11949ac491ca74b44b0038a8068c41fe1a5c5", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|611a72c929050963b6f5dd8fd0b11949ac491ca74b44b0038a8068c41fe1a5c5"}}}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 9216, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 9208, "scanner": "repobility-threat-engine", "fingerprint": "4cb2e8c2d64a87b5a56d907adee6bfce9214961045d12d8db36fc7d714fe73d9", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = a", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|155|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/static/js/alerts.js"}, "region": {"startLine": 155}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 9207, "scanner": "repobility-threat-engine", "fingerprint": "e908a4e7edb30090f2a320a11bf3f821c2caf5c5ae58897165ac2d287a278162", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML=s", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|dashboard_claudecode.py|1097|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard_claudecode.py"}, "region": {"startLine": 1097}}}]}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "properties": {"repobilityId": 9212, "scanner": "repobility-threat-engine", "fingerprint": "75d433e4e0f1c1addf7284dc7ac198e222a64770dfc5d76e1340cef2a7a24c8d", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 33 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 33 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|75d433e4e0f1c1addf7284dc7ac198e222a64770dfc5d76e1340cef2a7a24c8d"}}}, {"ruleId": "SEC004", "level": "none", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 9205, "scanner": "repobility-threat-engine", "fingerprint": "41c8a9bc3162a1f1e203942fd77422de70538a9a59884060b39e7ab123384e23", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Line contains 'rules' \u2014 likely a detection rule or pattern list, not executable code", "evidence": {"match": ".execute(f\"UPDATE", "reason": "Line contains 'rules' \u2014 likely a detection rule or pattern list, not executable code", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|routes/alerts.py|367|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/alerts.py"}, "region": {"startLine": 367}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9213, "scanner": "repobility-threat-engine", "fingerprint": "b1da64c23e00add9a173d8f4be3730c0387732db369b6e263fc2d2700b235d5c", "category": "credential_exposure", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Formatted expression outputs a credential-bearing value directly.", "evidence": {"match": "print(f\"  API key:      {api_key}\")", "reason": "Formatted expression outputs a credential-bearing value directly.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.92, "correlation_key": "secret|clawmetry/cli.py|58|print f api key: api_key"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/cli.py"}, "region": {"startLine": 586}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 9206, "scanner": "repobility-threat-engine", "fingerprint": "19432ce226a7329f1a68cc462c76efa2ef1a12c6f09c0c4f1d2061438e264ad4", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".execute(\n                f\"SELECT", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|212|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "clawmetry/adapters/hermes.py"}, "region": {"startLine": 212}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 9204, "scanner": "repobility-threat-engine", "fingerprint": "297e5048a57c3373ed62c45bb7559ed73b9e564d7c32d37a0998a8b4626dcdc7", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": ".execute(f'SELECT", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|history.py|239|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "history.py"}, "region": {"startLine": 239}}}]}, {"ruleId": "AGT002", "level": "error", "message": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "properties": {"repobilityId": 9203, "scanner": "repobility-agent-runtime", "fingerprint": "990d81bb9073e2a4b484b240d052a64df96ddf98556e9eec983b3d432a6f315d", "category": "llm_injection", "severity": "high", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to persist LLM-extracted memory from user/assistant exchanges without visible schema validation or prompt-pattern rejection.", "evidence": {"rule_id": "AGT002", "scanner": "repobility-agent-runtime", "data_flow": "chat_exchange_to_persistent_memory", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|990d81bb9073e2a4b484b240d052a64df96ddf98556e9eec983b3d432a6f315d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/infra.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "AGT002", "level": "error", "message": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "properties": {"repobilityId": 9202, "scanner": "repobility-agent-runtime", "fingerprint": "18d50cbf611a19157b245265053db935a83d80f2d5877c8da285fd4a81a24dfb", "category": "llm_injection", "severity": "high", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to persist LLM-extracted memory from user/assistant exchanges without visible schema validation or prompt-pattern rejection.", "evidence": {"rule_id": "AGT002", "scanner": "repobility-agent-runtime", "data_flow": "chat_exchange_to_persistent_memory", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|18d50cbf611a19157b245265053db935a83d80f2d5877c8da285fd4a81a24dfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/heartbeat.py"}, "region": {"startLine": 283}}}]}, {"ruleId": "AGT002", "level": "error", "message": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "properties": {"repobilityId": 9201, "scanner": "repobility-agent-runtime", "fingerprint": "ae8bdf1f11305e8f2e1a1745ca9f3b2109604a5cc903034aa71ccdaf93c5d484", "category": "llm_injection", "severity": "high", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to persist LLM-extracted memory from user/assistant exchanges without visible schema validation or prompt-pattern rejection.", "evidence": {"rule_id": "AGT002", "scanner": "repobility-agent-runtime", "data_flow": "chat_exchange_to_persistent_memory", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|ae8bdf1f11305e8f2e1a1745ca9f3b2109604a5cc903034aa71ccdaf93c5d484"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/components.py"}, "region": {"startLine": 211}}}]}]}]}