{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /m"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /admin/embeddings/rou"}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 28 more): Same pattern found in 28 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 37 more): Same pattern found in 37 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 37 more): Same pattern found in 37 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 17 more): Same pattern found in 17 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-r", "shortDescription": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025"}, "fullDescription": {"text": "Replace with: `uses: actions/setup-node@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_reque", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate "}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/726"}, "properties": {"repository": "f/prompts.chat", "repoUrl": "https://github.com/f/prompts.chat", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 59221, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 59220, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59217, "scanner": "repobility-journey-contract", "fingerprint": "36cebf060c4dbf37e614641cdf6cae7eafbb354e2b95d952dd5e551ca4fb5119", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin/related-prompts", "correlation_key": "fp|36cebf060c4dbf37e614641cdf6cae7eafbb354e2b95d952dd5e551ca4fb5119", "backend_endpoint_count": 46}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/admin/prompts-management.tsx"}, "region": {"startLine": 313}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59216, "scanner": "repobility-journey-contract", "fingerprint": "81c08eae29411f9305e094475c357d8542dfc1b90cd384398a3cc01a2d1ad48c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin/embeddings", "correlation_key": "fp|81c08eae29411f9305e094475c357d8542dfc1b90cd384398a3cc01a2d1ad48c", "backend_endpoint_count": 46}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/admin/prompts-management.tsx"}, "region": {"startLine": 250}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59215, "scanner": "repobility-journey-contract", "fingerprint": "b619786256f706d500c5dae9ef059a63f8fcf7f04ff0dc4e25ac09ef426f36c0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin/import-prompts", "correlation_key": "fp|b619786256f706d500c5dae9ef059a63f8fcf7f04ff0dc4e25ac09ef426f36c0", "backend_endpoint_count": 46}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/admin/prompts-management.tsx"}, "region": {"startLine": 228}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59214, "scanner": "repobility-journey-contract", "fingerprint": "a25c6afb5787dcefa86585a1f771c04e5e21e72b00cc90a28a6ea1b0a0729455", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin/import-prompts", "correlation_key": "fp|a25c6afb5787dcefa86585a1f771c04e5e21e72b00cc90a28a6ea1b0a0729455", "backend_endpoint_count": 46}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/admin/prompts-management.tsx"}, "region": {"startLine": 200}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59213, "scanner": "repobility-journey-contract", "fingerprint": "a0241929840e42f0fdd657e38dab05f7acb91ab38c055a89c9db2a7b46b92f89", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin/prompts/{param}", "correlation_key": "fp|a0241929840e42f0fdd657e38dab05f7acb91ab38c055a89c9db2a7b46b92f89", "backend_endpoint_count": 46}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/admin/prompts-management.tsx"}, "region": {"startLine": 174}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59212, "scanner": "repobility-journey-contract", "fingerprint": "1d7b5743f27fc081cd40981e059af6e51f2df17eed54b2b1ea66445c0c07e1d9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin/prompts", "correlation_key": "fp|1d7b5743f27fc081cd40981e059af6e51f2df17eed54b2b1ea66445c0c07e1d9", "backend_endpoint_count": 46}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/admin/prompts-management.tsx"}, "region": {"startLine": 138}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59211, "scanner": "repobility-journey-contract", "fingerprint": "fe75f23f536d6c4f1e7195194e844fc44ce406ee3d3e047418ce868928cd8f14", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin/import-prompts", "correlation_key": "fp|fe75f23f536d6c4f1e7195194e844fc44ce406ee3d3e047418ce868928cd8f14", "backend_endpoint_count": 46}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/admin/import-prompts.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59210, "scanner": "repobility-journey-contract", "fingerprint": "fa9a895044fb95479a4c57431f1c62bc3f53b44e4ba36aa744eb9e8c23847e9d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin/import-prompts", "correlation_key": "fp|fa9a895044fb95479a4c57431f1c62bc3f53b44e4ba36aa744eb9e8c23847e9d", "backend_endpoint_count": 46}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/admin/import-prompts.tsx"}, "region": {"startLine": 50}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59209, "scanner": "repobility-journey-contract", "fingerprint": "590100b974c2173913c57447bd11e875dd717da1408587ab6778b0f5901a2a39", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin/categories/{param}", "correlation_key": "fp|590100b974c2173913c57447bd11e875dd717da1408587ab6778b0f5901a2a39", "backend_endpoint_count": 46}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/admin/categories-table.tsx"}, "region": {"startLine": 187}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59208, "scanner": "repobility-journey-contract", "fingerprint": "632febc229797f6f5fe5723cb48e1eff36f32e0778ed6c746ef592cf36a546cf", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin/categories", "correlation_key": "fp|632febc229797f6f5fe5723cb48e1eff36f32e0778ed6c746ef592cf36a546cf", "backend_endpoint_count": 46}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/admin/categories-table.tsx"}, "region": {"startLine": 155}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59207, "scanner": "repobility-journey-contract", "fingerprint": "45b29a6e1b62c264d180ea206a28f434c8e536e765b6855217ccf3d98e3db6bc", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin/categories/{param}", "correlation_key": "fp|45b29a6e1b62c264d180ea206a28f434c8e536e765b6855217ccf3d98e3db6bc", "backend_endpoint_count": 46}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/admin/categories-table.tsx"}, "region": {"startLine": 154}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59206, "scanner": "repobility-journey-contract", "fingerprint": "cd923f344922102ea46a4d56086fd734f619671b52d0bd84ca62379ab8eeb729", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin/categories/{param}", "correlation_key": "fp|cd923f344922102ea46a4d56086fd734f619671b52d0bd84ca62379ab8eeb729", "backend_endpoint_count": 46}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/admin/categories-table.tsx"}, "region": {"startLine": 124}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 59205, "scanner": "repobility-journey-contract", "fingerprint": "9ae519e358756e09f962e17ccd96b116d92aa21b4debe3d08bb4179c7e9585dd", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/admin/embeddings", "correlation_key": "fp|9ae519e358756e09f962e17ccd96b116d92aa21b4debe3d08bb4179c7e9585dd", "backend_endpoint_count": 46}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/admin/ai-search-settings.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /media-generate/route."}, "properties": {"repobilityId": 59204, "scanner": "repobility-access-control", "fingerprint": "c0e79d1e816ad48d4f3e77e7e6cad1a0742871c4eb8949fe9876c2238a892dfa", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/media-generate/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|45|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/media-generate/route.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /media-generate/route."}, "properties": {"repobilityId": 59203, "scanner": "repobility-access-control", "fingerprint": "de4dd85ccc69decea8d336eca4ae8cc99b89bb69092d10c93f4b9092a2830fca", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/media-generate/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|10|auc009", "duplicate_count": 1, "identity_targets": ["authenticated"], "duplicate_rule_ids": ["AUC009"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["5c2a17479cf0a5e44318297d1c621daadcabc454c5b2c361c614a93cddec4315", "de4dd85ccc69decea8d336eca4ae8cc99b89bb69092d10c93f4b9092a2830fca"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/media-generate/route.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /leaderboard/route."}, "properties": {"repobilityId": 59202, "scanner": "repobility-access-control", "fingerprint": "32db2aa4ef8153bb6d798886c42520f945dd344496ea28495580618e60765f99", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/leaderboard/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|150|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/leaderboard/route.ts"}, "region": {"startLine": 150}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /improve-prompt/route."}, "properties": {"repobilityId": 59201, "scanner": "repobility-access-control", "fingerprint": "2530fee7bd0408ea88e92efd3db8647e2770b41bf30e5c0092144acec5334e95", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/improve-prompt/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|38|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/improve-prompt/route.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /prompts/route."}, "properties": {"repobilityId": 59200, "scanner": "repobility-access-control", "fingerprint": "8d8f8903e15946bb9f43a1f9eae3a0c3b6fda3d109e2c5b777338b13f0ca5f1d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/prompts/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|309|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/prompts/route.ts"}, "region": {"startLine": 309}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /prompts/route."}, "properties": {"repobilityId": 59199, "scanner": "repobility-access-control", "fingerprint": "a7971e2d0bc1b50e1c249ad6126e8546420c334ab9a8e24b856dc4e2a9e3316d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/prompts/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|35|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/prompts/route.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /reports/route."}, "properties": {"repobilityId": 59198, "scanner": "repobility-access-control", "fingerprint": "ef5c3fe3ebeefde653d9e0a6fc6d08a840eb5c0636befb4f9de48f7beea33d20", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/reports/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|12|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/reports/route.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /prompts.csv."}, "properties": {"repobilityId": 59197, "scanner": "repobility-access-control", "fingerprint": "e0e2f93fd0a752d6d677109c9da5ad18f6d6513ac5f21a704ed0d2c6a1456800", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/prompts.csv", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|28|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/prompts.csv/route.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /prompts.json."}, "properties": {"repobilityId": 59196, "scanner": "repobility-access-control", "fingerprint": "bbed57d7f4c509fb9a07d747054e002d78df818f31f554084ad2ce346e3395c0", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/prompts.json", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|25|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/prompts.json/route.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /admin/embeddings/route."}, "properties": {"repobilityId": 59195, "scanner": "repobility-access-control", "fingerprint": "16f67f4214e413205a334a7c48fce3000d21e808be8f9e6f9cd8795f807646c9", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/embeddings/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|5|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/admin/embeddings/route.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /admin/categories/route."}, "properties": {"repobilityId": 59194, "scanner": "repobility-access-control", "fingerprint": "5ebbfb279ad70de37cb09a09026902a449b330ab607d21d5e373e35a2a63105b", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/categories/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|7|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/admin/categories/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /admin/slugs/route."}, "properties": {"repobilityId": 59193, "scanner": "repobility-access-control", "fingerprint": "baaae963f8313f970af8745c841fdf7a5df1dd1b204c657a6585cdaa0103e32f", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/admin/slugs/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|103|auc004", "duplicate_count": 1, "identity_targets": ["authenticated", "admin"], "duplicate_rule_ids": ["AUC004"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["aff11bb78b392e09fe2a1c0734abc4a9d30afed05a016f21952d6d14ae968c7f", "baaae963f8313f970af8745c841fdf7a5df1dd1b204c657a6585cdaa0103e32f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/admin/slugs/route.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /admin/tags/route."}, "properties": {"repobilityId": 59192, "scanner": "repobility-access-control", "fingerprint": "cfba9700a70ecb20120e21f6e4dee629f97a3e6a47995611d3cf277a67f26800", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/admin/tags/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|6|auc004", "duplicate_count": 2, "identity_targets": ["authenticated", "admin"], "duplicate_rule_ids": ["AUC004"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["cfba9700a70ecb20120e21f6e4dee629f97a3e6a47995611d3cf277a67f26800", "da683f05f913adac6370abb999a80974a34d658e1f375b24e14c958a16353953", "e13819b8872329d887059f2767e7449114bdfed567ca99d3d80ad5d47b4ddd47"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/admin/tags/route.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /admin/webhooks/route."}, "properties": {"repobilityId": 59191, "scanner": "repobility-access-control", "fingerprint": "04d8675caf14a01f66f683015f032cd0e8cd5ac074c8da51a3b0ced84b2a769e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/webhooks/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|99|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/admin/webhooks/route.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /admin/webhooks/route."}, "properties": {"repobilityId": 59190, "scanner": "repobility-access-control", "fingerprint": "c40a15d304939e2108a6506386cd309c742e6efd981089980baad48f0c1eac85", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/webhooks/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|80|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/admin/webhooks/route.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /admin/related-prompts/route."}, "properties": {"repobilityId": 59189, "scanner": "repobility-access-control", "fingerprint": "d1579763ba819dcf03dcfb895938c5429b0f14a2863514771664bd713bd60941", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin/related-prompts/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|8|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/admin/related-prompts/route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 59188, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 59157, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 59156, "scanner": "repobility-threat-engine", "fingerprint": "a1a8529e0a1472f9a9c9361af44dbaf684635066fa8ed3e473364d5bc3c63a9f", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a1a8529e0a1472f9a9c9361af44dbaf684635066fa8ed3e473364d5bc3c63a9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/kids/layout/background-music.tsx"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 59152, "scanner": "repobility-threat-engine", "fingerprint": "20f9958999c52903e318c4b8e9207d8e02efefd36c72f44077466107a162a7fe", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"John Doe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|20f9958999c52903e318c4b8e9207d8e02efefd36c72f44077466107a162a7fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/auth/register-form.tsx"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 59126, "scanner": "repobility-threat-engine", "fingerprint": "b9250264c329e4e9def87202175f6d204cebee0f220da5e8ee33a3068edb3bc2", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|src/app/layout.tsx|124|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/layout.tsx"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 59125, "scanner": "repobility-threat-engine", "fingerprint": "b3ec997bdd0a79de0c3144b24168d22859b1d3eff433ce7146435f3a5fc257dc", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|15|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/raycast-extension/src/utils.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 59124, "scanner": "repobility-threat-engine", "fingerprint": "04de95a09d5f1bcef66c945b4ffdce0286bcaf680b44a99bac60049f0cdd4eda", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|125|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/prompts.chat/src/variables/index.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 59219, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 59218, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59187, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43f1541be22a3941c49b4cc26607a53270b7aa1d0098a3b689d7a07ea01b978c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/admin/ai-search-settings.tsx", "duplicate_line": 39, "correlation_key": "fp|43f1541be22a3941c49b4cc26607a53270b7aa1d0098a3b689d7a07ea01b978c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/admin/prompts-management.tsx"}, "region": {"startLine": 222}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59186, "scanner": "repobility-ai-code-hygiene", "fingerprint": "971fece076e7c450bceac6a30d11021ce5f6b289d0c3498ab8717afcc96b439f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/taste/page.tsx", "duplicate_line": 67, "correlation_key": "fp|971fece076e7c450bceac6a30d11021ce5f6b289d0c3498ab8717afcc96b439f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/workflows/page.tsx"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59185, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9c4fe733a5e5201c8f28849c52416330962cb9417e5516d8cec0c28298dddc4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/api/collection/route.ts", "duplicate_line": 18, "correlation_key": "fp|9c4fe733a5e5201c8f28849c52416330962cb9417e5516d8cec0c28298dddc4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/workflows/page.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59184, "scanner": "repobility-ai-code-hygiene", "fingerprint": "96dce0faeb7deb97d4ba377bb84d1a62579b9d3457bf8af0378e392f5a9f1082", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/api/prompts/route.ts", "duplicate_line": 312, "correlation_key": "fp|96dce0faeb7deb97d4ba377bb84d1a62579b9d3457bf8af0378e392f5a9f1082"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/workflows/page.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59183, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b331ccc36d39a69b06501ce697bbabd2a49a50cc3628c5794f78a5cd6b804bb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/prompts/page.tsx", "duplicate_line": 72, "correlation_key": "fp|9b331ccc36d39a69b06501ce697bbabd2a49a50cc3628c5794f78a5cd6b804bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/workflows/page.tsx"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59182, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8cee52541d84d6496332c05e346e8334a0ea55c026319d95e0c3bb9ba82fe34c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/api/collection/route.ts", "duplicate_line": 18, "correlation_key": "fp|8cee52541d84d6496332c05e346e8334a0ea55c026319d95e0c3bb9ba82fe34c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/taste/page.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59181, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1be582fcd233efa3653f02bdd7c112a66b2733d380fbc20e63e7ac20c040d580", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/api/prompts/route.ts", "duplicate_line": 312, "correlation_key": "fp|1be582fcd233efa3653f02bdd7c112a66b2733d380fbc20e63e7ac20c040d580"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/taste/page.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59180, "scanner": "repobility-ai-code-hygiene", "fingerprint": "144523f6c15f504c1d9166aefaa484417d0dc7af81a39d49f4649faf1ae4f88f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/prompts/page.tsx", "duplicate_line": 72, "correlation_key": "fp|144523f6c15f504c1d9166aefaa484417d0dc7af81a39d49f4649faf1ae4f88f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/taste/page.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59179, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c434ccf598669558886cdcd8819b87d6f03d424f14988f2d673b103568b0e9a3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/api/collection/route.ts", "duplicate_line": 18, "correlation_key": "fp|c434ccf598669558886cdcd8819b87d6f03d424f14988f2d673b103568b0e9a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/prompts/page.tsx"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59178, "scanner": "repobility-ai-code-hygiene", "fingerprint": "332e40c1a913d5f038c41ecdd883ab0fbe183c0ac45f7c465c7fb29b51dd1816", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/api/prompts/route.ts", "duplicate_line": 312, "correlation_key": "fp|332e40c1a913d5f038c41ecdd883ab0fbe183c0ac45f7c465c7fb29b51dd1816"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/prompts/page.tsx"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59177, "scanner": "repobility-ai-code-hygiene", "fingerprint": "def43279c232e18f64591cff8f9f8d1052d31fa24bb50369746e2accf1ee82f3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/error.tsx", "duplicate_line": 42, "correlation_key": "fp|def43279c232e18f64591cff8f9f8d1052d31fa24bb50369746e2accf1ee82f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/not-found.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59176, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2134c7909ba8f9a0445fa4b8f345d6162f4ac8deab38cde34f6d230bec3f6d3a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/book/page.tsx", "duplicate_line": 66, "correlation_key": "fp|2134c7909ba8f9a0445fa4b8f345d6162f4ac8deab38cde34f6d230bec3f6d3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/layout.tsx"}, "region": {"startLine": 94}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59175, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6eeb8b7e8dc5abc72845cc089dbbea25fe26963870216c1f55ca58d3affbbc3a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/collection/page.tsx", "duplicate_line": 32, "correlation_key": "fp|6eeb8b7e8dc5abc72845cc089dbbea25fe26963870216c1f55ca58d3affbbc3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/feed/page.tsx"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59174, "scanner": "repobility-ai-code-hygiene", "fingerprint": "081c42abee39f5864445ae7e90aed74524876d9c44a8e074b52274c90e427ec0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/api/collection/route.ts", "duplicate_line": 18, "correlation_key": "fp|081c42abee39f5864445ae7e90aed74524876d9c44a8e074b52274c90e427ec0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/feed/page.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59173, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a9d18c2b839745d560341dfbbc46852a3c280d5d2f6d40bb3a2bd90ff0e0256e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/collection/loading.tsx", "duplicate_line": 11, "correlation_key": "fp|a9d18c2b839745d560341dfbbc46852a3c280d5d2f6d40bb3a2bd90ff0e0256e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/feed/loading.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59172, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3305b3d25ae28e156e7f4dea58910c1c45cc536bf5a21387f38ad160d9be606e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/api/collection/route.ts", "duplicate_line": 14, "correlation_key": "fp|3305b3d25ae28e156e7f4dea58910c1c45cc536bf5a21387f38ad160d9be606e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/collection/page.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59171, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6fd8c5329bb46cbeb64543102e4822542152a12a1f6d7988b4251bb2b8895850", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/api/collection/route.ts", "duplicate_line": 18, "correlation_key": "fp|6fd8c5329bb46cbeb64543102e4822542152a12a1f6d7988b4251bb2b8895850"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/prompts/route.ts"}, "region": {"startLine": 174}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59170, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b56be00c88022ce6f2b3a49354b9e6b7055bd0fd9e5537594f17b4f6d6708c0c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/api/prompt-builder/chat/route.ts", "duplicate_line": 15, "correlation_key": "fp|b56be00c88022ce6f2b3a49354b9e6b7055bd0fd9e5537594f17b4f6d6708c0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/prompt-builder/generate-example/route.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59169, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b5fac70120df459b2a66baf28a0c5ced71fd3e4ce98a70e62c8c530cea1f22dc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/api/admin/prompts/route.ts", "duplicate_line": 1, "correlation_key": "fp|b5fac70120df459b2a66baf28a0c5ced71fd3e4ce98a70e62c8c530cea1f22dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/admin/users/route.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59168, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a3deb2c0dae531d4a3d7c8a1ef4bf63c9d531544c87b82bf36ab440b1fe17d95", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/app/admin/page.tsx", "duplicate_line": 52, "correlation_key": "fp|a3deb2c0dae531d4a3d7c8a1ef4bf63c9d531544c87b82bf36ab440b1fe17d95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/admin/slugs/route.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59167, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f8e8b8467ba44066ed39db21fc33de392d6d94aa072a2eb8bec2fd993960348", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/docker-setup.js", "duplicate_line": 18, "correlation_key": "fp|3f8e8b8467ba44066ed39db21fc33de392d6d94aa072a2eb8bec2fd993960348"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/setup.js"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59166, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b5d7bf51a4a2e5eb5e579145890b48b9300bbf1618627da6e7f32c0fdf3cd08", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/prompts.chat/src/cli/platforms.ts", "duplicate_line": 98, "correlation_key": "fp|9b5d7bf51a4a2e5eb5e579145890b48b9300bbf1618627da6e7f32c0fdf3cd08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/raycast-extension/src/utils.ts"}, "region": {"startLine": 262}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59165, "scanner": "repobility-ai-code-hygiene", "fingerprint": "35d1ee4ae8756b3c795a35f36bb0722df82400e81efc4410aace910e7e5332fe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/raycast-extension/src/browse-prompts.tsx", "duplicate_line": 125, "correlation_key": "fp|35d1ee4ae8756b3c795a35f36bb0722df82400e81efc4410aace910e7e5332fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/raycast-extension/src/search-prompts.tsx"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59164, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dd59e7cac08b54c9a9db5c3943b92efd7de79bda71341b47090d8103afb4707b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/raycast-extension/src/browse-categories.tsx", "duplicate_line": 32, "correlation_key": "fp|dd59e7cac08b54c9a9db5c3943b92efd7de79bda71341b47090d8103afb4707b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/raycast-extension/src/search-prompts.tsx"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59163, "scanner": "repobility-ai-code-hygiene", "fingerprint": "590d0db1271ee568341d69eed15659ff2e5460d1d63d58194b6804677c1fdb36", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/raycast-extension/src/browse-categories.tsx", "duplicate_line": 217, "correlation_key": "fp|590d0db1271ee568341d69eed15659ff2e5460d1d63d58194b6804677c1fdb36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/raycast-extension/src/components/prompt-detail.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59162, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a729dce5223b2da0ce60058c177a589ead7a1fec0de940f166ef1ee3f9e59a6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/raycast-extension/src/browse-categories.tsx", "duplicate_line": 1, "correlation_key": "fp|6a729dce5223b2da0ce60058c177a589ead7a1fec0de940f166ef1ee3f9e59a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/raycast-extension/src/browse-prompts.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59161, "scanner": "repobility-ai-code-hygiene", "fingerprint": "57251d2d65b8320547a3d9e82e57c4ec8d583af489aa03b116f2f8151fb5fcd0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/prompts.chat/src/builder/audio.ts", "duplicate_line": 495, "correlation_key": "fp|57251d2d65b8320547a3d9e82e57c4ec8d583af489aa03b116f2f8151fb5fcd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/prompts.chat/src/builder/video.ts"}, "region": {"startLine": 568}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59160, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65821f5aa694acf2f7ee7582d961f2e9a92d234ff9d71806dc4137714137e1dc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/prompts.chat/src/builder/media.ts", "duplicate_line": 325, "correlation_key": "fp|65821f5aa694acf2f7ee7582d961f2e9a92d234ff9d71806dc4137714137e1dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/prompts.chat/src/builder/video.ts"}, "region": {"startLine": 212}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59159, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a3a4fb9653266a955022634c7f05284d57b8e3d3730697a22f28cf1b6413038", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/prompts.chat/src/builder/audio.ts", "duplicate_line": 498, "correlation_key": "fp|7a3a4fb9653266a955022634c7f05284d57b8e3d3730697a22f28cf1b6413038"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/prompts.chat/src/builder/media.ts"}, "region": {"startLine": 680}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 59158, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9964f980a54a98e40f6e5e3b4b8c58462f43473a1c0da163f2b8392b75117c9b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/prompts.chat/src/builder/audio.ts", "duplicate_line": 504, "correlation_key": "fp|9964f980a54a98e40f6e5e3b4b8c58462f43473a1c0da163f2b8392b75117c9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/prompts.chat/src/builder/chat.ts"}, "region": {"startLine": 683}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 59151, "scanner": "repobility-threat-engine", "fingerprint": "57a66d8089dbb0f16c0fbc2c99bff20835ea29c668391e3ba302d34ec078a586", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|57a66d8089dbb0f16c0fbc2c99bff20835ea29c668391e3ba302d34ec078a586", "aggregated_count": 2}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 59150, "scanner": "repobility-threat-engine", "fingerprint": "8962c5f8bd0a0903293d7e3f74b2cdd5557cb1b2e696512101aec6c129656e64", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8962c5f8bd0a0903293d7e3f74b2cdd5557cb1b2e696512101aec6c129656e64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/skills/page.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 59149, "scanner": "repobility-threat-engine", "fingerprint": "939c9c6d51b7c7d1e1c1d2dd4219ee6a39206a3068f3e17706926071397bf32a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|939c9c6d51b7c7d1e1c1d2dd4219ee6a39206a3068f3e17706926071397bf32a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/prompts/page.tsx"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 59148, "scanner": "repobility-threat-engine", "fingerprint": "451c4200b03ebf09ab733444ecd4389c74bd35918e7c1039201cbb72bacacd78", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|451c4200b03ebf09ab733444ecd4389c74bd35918e7c1039201cbb72bacacd78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/prompts.json/route.ts"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 59146, "scanner": "repobility-threat-engine", "fingerprint": "607dad8958af79f2a9dbe84ae3e2da716657a6fa80432bd9aa88838d05dd230a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|607dad8958af79f2a9dbe84ae3e2da716657a6fa80432bd9aa88838d05dd230a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/book/page.tsx"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "properties": {"repobilityId": 59145, "scanner": "repobility-threat-engine", "fingerprint": "e24948ba98df394cceed216be35232c13416d83338c442adc5f8c4e38d4085f1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e24948ba98df394cceed216be35232c13416d83338c442adc5f8c4e38d4085f1", "aggregated_count": 28}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 59144, "scanner": "repobility-threat-engine", "fingerprint": "4a6a882da9a2ce8f875e3e323d54870bc1efe2cf98b99ded0f837961c7ced367", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4a6a882da9a2ce8f875e3e323d54870bc1efe2cf98b99ded0f837961c7ced367"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/collection/loading.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 59143, "scanner": "repobility-threat-engine", "fingerprint": "7400bfc7db5611bef253121bdbf40ae9aa7e89fbd8c50f1bef0070799e6ed9da", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7400bfc7db5611bef253121bdbf40ae9aa7e89fbd8c50f1bef0070799e6ed9da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/categories/loading.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 59142, "scanner": "repobility-threat-engine", "fingerprint": "30cb40c3fc154f67041f59631cc8f43c3430d2f2a1c95e46889ea461dd05ad50", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|30cb40c3fc154f67041f59631cc8f43c3430d2f2a1c95e46889ea461dd05ad50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/book/page.tsx"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 59141, "scanner": "repobility-threat-engine", "fingerprint": "8135f698c7f4cff0f36d0edce312b846d398d7d64b03f072a94541cf0537f7a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8135f698c7f4cff0f36d0edce312b846d398d7d64b03f072a94541cf0537f7a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/admin/page.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 59140, "scanner": "repobility-threat-engine", "fingerprint": "3e98ce464eb00c5d4cc0a4015294564e584809134d880278a490e4d24c4b8bef", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e98ce464eb00c5d4cc0a4015294564e584809134d880278a490e4d24c4b8bef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "prisma/seed.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 59139, "scanner": "repobility-threat-engine", "fingerprint": "b4946e2147eb2aa42ff55be5729be30cf3e0396369ac48f853c05b2799dea605", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b4946e2147eb2aa42ff55be5729be30cf3e0396369ac48f853c05b2799dea605"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "prisma/reset-admin.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 59138, "scanner": "repobility-threat-engine", "fingerprint": "ea4d2c5485a92b7e8eed92a48f191d547fd3e69be383620d9f95f1c2161c8453", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea4d2c5485a92b7e8eed92a48f191d547fd3e69be383620d9f95f1c2161c8453"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "prisma/seed.ts"}, "region": {"startLine": 312}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 59137, "scanner": "repobility-threat-engine", "fingerprint": "872adaaf685d0914d63ba463ca914825a7ab9a8bdc231a1853c09dbfd825d4f1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|872adaaf685d0914d63ba463ca914825a7ab9a8bdc231a1853c09dbfd825d4f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "prisma/reset-admin.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 59136, "scanner": "repobility-threat-engine", "fingerprint": "b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 59135, "scanner": "repobility-threat-engine", "fingerprint": "dde6f515c64497d470d6a059e915a5fe8acc39bdcab78eb3a96e71fc6b5ad3a1", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error(\"CRON_SECRET is not configured\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|2|console.error cron_secret is not configured"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/api/cron/reset-credits/route.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 59134, "scanner": "repobility-threat-engine", "fingerprint": "5ab4416e77e8ee3960d00d65763da9cfcaa3f55a86969f61bacc6633c37b8639", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(\"\\n\ud83d\udccb Test credentials (password: <redacted>", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|prisma/seed.ts|31|console.log n test credentials password: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "prisma/seed.ts"}, "region": {"startLine": 312}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 59133, "scanner": "repobility-threat-engine", "fingerprint": "db8c3c0b2a86f81b5c10392d615dccd884ad36c5505aa2ac32fb8d96c9dd5dea", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(\"   Password: <redacted>\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|prisma/reset-admin.ts|2|console.log password: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "prisma/reset-admin.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 59132, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 59127, "scanner": "repobility-threat-engine", "fingerprint": "c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 37 more): Same pattern found in 37 additional files. Review if needed."}, "properties": {"repobilityId": 59123, "scanner": "repobility-threat-engine", "fingerprint": "760491a53d9a8ce2ff7ac10aa4636fcc1c1e750ff09b2457293883b4d21aa2cc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 37 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|760491a53d9a8ce2ff7ac10aa4636fcc1c1e750ff09b2457293883b4d21aa2cc", "aggregated_count": 37}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 59122, "scanner": "repobility-threat-engine", "fingerprint": "046e85a91b31d1aba2bbe217504b55f78c607aeac1c5c23872f693d9011edffb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|046e85a91b31d1aba2bbe217504b55f78c607aeac1c5c23872f693d9011edffb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "prisma/reset-admin.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 59121, "scanner": "repobility-threat-engine", "fingerprint": "33fa587a7fa47a43f709337178e9c0623a1e8f854a1ae9b019aadc7454faf6f9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|33fa587a7fa47a43f709337178e9c0623a1e8f854a1ae9b019aadc7454faf6f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/prompts.chat/src/cli/new.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 59120, "scanner": "repobility-threat-engine", "fingerprint": "6d05e108a64ea77875da8fada4cac5c0baff3da7cca8d2477db69d2e21d7fc51", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d05e108a64ea77875da8fada4cac5c0baff3da7cca8d2477db69d2e21d7fc51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/prompts.chat/src/cli/index.tsx"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 59119, "scanner": "repobility-threat-engine", "fingerprint": "82c6b69256192cc53f3e97906f4b7b1953127ff4369eaf5cc476c6a6e6d7a62f", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|82c6b69256192cc53f3e97906f4b7b1953127ff4369eaf5cc476c6a6e6d7a62f"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59228, "scanner": "repobility-supply-chain", "fingerprint": "b093c2a09ebf32fb0e19d7e97c03462772ee5d2b81a225355387c6403b0ffa8f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b093c2a09ebf32fb0e19d7e97c03462772ee5d2b81a225355387c6403b0ffa8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59227, "scanner": "repobility-supply-chain", "fingerprint": "dab1ed1d5821f0f27c3288bb5365b775cc1803d9a7df2bdb8ef54050f5bc1977", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dab1ed1d5821f0f27c3288bb5365b775cc1803d9a7df2bdb8ef54050f5bc1977"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59226, "scanner": "repobility-supply-chain", "fingerprint": "9d4d4786b90c4b5020101a685d0e50fcadee61f607d821c862406e5c75e7bfad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d4d4786b90c4b5020101a685d0e50fcadee61f607d821c862406e5c75e7bfad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-publish.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59225, "scanner": "repobility-supply-chain", "fingerprint": "e18846f2c37009e113f79b7b445b385f05e8b6a119d1160b4f49777a411d2453", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e18846f2c37009e113f79b7b445b385f05e8b6a119d1160b4f49777a411d2453"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-publish.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59224, "scanner": "repobility-supply-chain", "fingerprint": "43e509c378617a69010fa4a723959ab89486e8b797e519828227c1c26dc06fd1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|43e509c378617a69010fa4a723959ab89486e8b797e519828227c1c26dc06fd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-publish.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59223, "scanner": "repobility-supply-chain", "fingerprint": "4e1db25990d35c671ef88dab2449c67f3f483af1df7f786a4ed05d81d96390c7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e1db25990d35c671ef88dab2449c67f3f483af1df7f786a4ed05d81d96390c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-contributors.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 59222, "scanner": "repobility-supply-chain", "fingerprint": "2c19da516b42ab750e37129b4edb9184b14630f9059245e1e28981759f820b34", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c19da516b42ab750e37129b4edb9184b14630f9059245e1e28981759f820b34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-contributors.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 59155, "scanner": "repobility-threat-engine", "fingerprint": "ac19fc72710e23b86a7eecf0b4c031bcbb347d0332bfd8fa8b460acd88ca2ed8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "next.delete(name);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ac19fc72710e23b86a7eecf0b4c031bcbb347d0332bfd8fa8b460acd88ca2ed8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ide/api-docs-sidebar.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 59154, "scanner": "repobility-threat-engine", "fingerprint": "34be627b66dda3adfa44727f1f43f043927b0db495af96fc654befd010d5d1b1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "params.delete(\"category\");", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|34be627b66dda3adfa44727f1f43f043927b0db495af96fc654befd010d5d1b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/categories/pinned-categories.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 59153, "scanner": "repobility-threat-engine", "fingerprint": "a8aa85bf8c28f0ce01d0b275e0d06fce474791677bd940de9e13eb643b484133", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "params.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a8aa85bf8c28f0ce01d0b275e0d06fce474791677bd940de9e13eb643b484133"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/categories/category-filters.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 59147, "scanner": "repobility-threat-engine", "fingerprint": "94bff5b9601758628b13ad3ae0d5c2ed858b9ff122cc61f241fbb0d927a2c67a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|94bff5b9601758628b13ad3ae0d5c2ed858b9ff122cc61f241fbb0d927a2c67a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/prompts.json/route.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 59131, "scanner": "repobility-threat-engine", "fingerprint": "3d9805e8ebca3a95b5e2b21d0422f578c42165d678e36b85d9623f98bc3f1387", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(hex", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3d9805e8ebca3a95b5e2b21d0422f578c42165d678e36b85d9623f98bc3f1387"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/layout.tsx"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 59130, "scanner": "repobility-threat-engine", "fingerprint": "9b8061819638dec2895f125bdb7e7c7a85f1134fe1897586b3e8736c1c30c9c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9b8061819638dec2895f125bdb7e7c7a85f1134fe1897586b3e8736c1c30c9c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/raycast-extension/src/utils.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 59129, "scanner": "repobility-threat-engine", "fingerprint": "628629b4c32ea2ddade3576fdb59c8e814524ca4c8df97abb93610040175e723", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|628629b4c32ea2ddade3576fdb59c8e814524ca4c8df97abb93610040175e723"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/prompts.chat/src/variables/index.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 59128, "scanner": "repobility-threat-engine", "fingerprint": "0fd61c1bb854bf1a75c6eb0c3698bf57e3f8648bc011cdf22a69d5e9c9290ba0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(config", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0fd61c1bb854bf1a75c6eb0c3698bf57e3f8648bc011cdf22a69d5e9c9290ba0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/prompts.chat/src/variables/index.ts"}, "region": {"startLine": 135}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 59118, "scanner": "repobility-threat-engine", "fingerprint": "42593aec3534ba41c7bb9817a0138d852cf934b52511c78eaeaf59b9fb706d2a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|42593aec3534ba41c7bb9817a0138d852cf934b52511c78eaeaf59b9fb706d2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/raycast-extension/src/api.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 59117, "scanner": "repobility-threat-engine", "fingerprint": "a1c6cf79ed03be80a8c383e2c916c3c940546a8b5ad205dcba98693cab500731", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(\n  p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a1c6cf79ed03be80a8c383e2c916c3c940546a8b5ad205dcba98693cab500731"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/prompts.chat/src/cli/platforms.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 59116, "scanner": "repobility-threat-engine", "fingerprint": "a1d5186383213f3a6a74482e9fcd9b743f864c1fdcb558e183853c2f6c3da9cf", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a1d5186383213f3a6a74482e9fcd9b743f864c1fdcb558e183853c2f6c3da9cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/prompts.chat/src/cli/components/RunPrompt.tsx"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59245, "scanner": "repobility-supply-chain", "fingerprint": "2e448813bae076db1e9b999bb5784eb2d0f8cb62f50e589dab7d79f881175079", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e448813bae076db1e9b999bb5784eb2d0f8cb62f50e589dab7d79f881175079"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 1169}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59244, "scanner": "repobility-supply-chain", "fingerprint": "5e8af5a32a48a2062a7d95006f98673fab36337c8e5e65212ee3f942af7946da", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e8af5a32a48a2062a7d95006f98673fab36337c8e5e65212ee3f942af7946da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 1066}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59243, "scanner": "repobility-supply-chain", "fingerprint": "fa91928aa9878178f6c9bfbd9422053e4d910742487513914c200e1354ad92ea", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa91928aa9878178f6c9bfbd9422053e4d910742487513914c200e1354ad92ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 1042}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59242, "scanner": "repobility-supply-chain", "fingerprint": "5847f922433d4f9886231b69a16b6d6f58d4236d38a08c0128a44f1b01437ee4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5847f922433d4f9886231b69a16b6d6f58d4236d38a08c0128a44f1b01437ee4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 985}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59241, "scanner": "repobility-supply-chain", "fingerprint": "41b5769a1fdf629e7e02b4b652a1ad8fc4191a410e1037b3d0bebcd06dd9b30d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41b5769a1fdf629e7e02b4b652a1ad8fc4191a410e1037b3d0bebcd06dd9b30d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 968}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59240, "scanner": "repobility-supply-chain", "fingerprint": "b965dd8e111406c527f0d2188c19d881f135eeec610830ed72de3ed58b35c25f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b965dd8e111406c527f0d2188c19d881f135eeec610830ed72de3ed58b35c25f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 950}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59239, "scanner": "repobility-supply-chain", "fingerprint": "e29c3315fe30032c2f41dd0c33e6bc3338bfa6390075a0edc2d8e80370043d44", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e29c3315fe30032c2f41dd0c33e6bc3338bfa6390075a0edc2d8e80370043d44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 937}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59238, "scanner": "repobility-supply-chain", "fingerprint": "6b2371b19a67da33eb5e5559c9d46826776a4d9335339a3badbb20815b0fa63e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b2371b19a67da33eb5e5559c9d46826776a4d9335339a3badbb20815b0fa63e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 807}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59237, "scanner": "repobility-supply-chain", "fingerprint": "0628e011be0d1a7e98b615081a4e6201e001178d02679d00b2ef9b9472ee24a0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0628e011be0d1a7e98b615081a4e6201e001178d02679d00b2ef9b9472ee24a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 806}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59236, "scanner": "repobility-supply-chain", "fingerprint": "1ed69a9af007ca18aa29349b0b60bce0e930ad44e67a88a2eb0a54f8ac898658", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ed69a9af007ca18aa29349b0b60bce0e930ad44e67a88a2eb0a54f8ac898658"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 805}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59235, "scanner": "repobility-supply-chain", "fingerprint": "a73eff83d84cbb357ffbde7ba655bb0dfa5601296add51bf2d5308a399097a85", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a73eff83d84cbb357ffbde7ba655bb0dfa5601296add51bf2d5308a399097a85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 747}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59234, "scanner": "repobility-supply-chain", "fingerprint": "407e3e329fac911e5ed81640a4f712d051ba1eac9b96579fcac3b281255cc6db", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|407e3e329fac911e5ed81640a4f712d051ba1eac9b96579fcac3b281255cc6db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 676}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59233, "scanner": "repobility-supply-chain", "fingerprint": "e5041704cfa6c6912f32f92b1b7fc243d89fdb1119e6f970878a9c9627bc0676", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5041704cfa6c6912f32f92b1b7fc243d89fdb1119e6f970878a9c9627bc0676"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 374}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59232, "scanner": "repobility-supply-chain", "fingerprint": "d0da6fd0b14b197ead0be33f2ce26e648519b12ac8c55bb31e449b483ff187f8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0da6fd0b14b197ead0be33f2ce26e648519b12ac8c55bb31e449b483ff187f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 373}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59231, "scanner": "repobility-supply-chain", "fingerprint": "a3463bd4ea39a742b76bf718a1a9b084b3b6ebbcd5834819243cca11908991f6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a3463bd4ea39a742b76bf718a1a9b084b3b6ebbcd5834819243cca11908991f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 364}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59230, "scanner": "repobility-supply-chain", "fingerprint": "8e8c77dc98e909cc657b91e642ee200ef52aa37be69f219ef095c204c7179264", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e8c77dc98e909cc657b91e642ee200ef52aa37be69f219ef095c204c7179264"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 310}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 59229, "scanner": "repobility-supply-chain", "fingerprint": "aaf0844841590133fd55246888ae7155d8fbfa09e0e2cc95154ba2e03cf8ae76", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aaf0844841590133fd55246888ae7155d8fbfa09e0e2cc95154ba2e03cf8ae76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spam-check.lock.yml"}, "region": {"startLine": 308}}}]}]}]}