{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /ex"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /export."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /{team_id}."}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /{team_id}."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-jg22-mg44-37j8", "name": "aiohttp: GHSA-jg22-mg44-37j8", "shortDescription": {"text": "aiohttp: GHSA-jg22-mg44-37j8"}, "fullDescription": {"text": "AIOHTTP is Vulnerable to Deserialization of Untrusted Data"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hg6j-4rv6-33pg", "name": "aiohttp: GHSA-hg6j-4rv6-33pg", "shortDescription": {"text": "aiohttp: GHSA-hg6j-4rv6-33pg"}, "fullDescription": {"text": "AIOHTTP is vulnerable to cross-origin redirect with per-request cookies"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4w7w-66w2-5vf9", "name": "vite: GHSA-4w7w-66w2-5vf9", "shortDescription": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "fullDescription": {"text": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xcj9-5m2h-648r", "name": "mermaid: GHSA-xcj9-5m2h-648r", "shortDescription": {"text": "mermaid: GHSA-xcj9-5m2h-648r"}, "fullDescription": {"text": "Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ghcm-xqfw-q4vr", "name": "mermaid: GHSA-ghcm-xqfw-q4vr", "shortDescription": {"text": "mermaid: GHSA-ghcm-xqfw-q4vr"}, "fullDescription": {"text": "Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-87f9-hvmw-gh4p", "name": "mermaid: GHSA-87f9-hvmw-gh4p", "shortDescription": {"text": "mermaid: GHSA-87f9-hvmw-gh4p"}, "fullDescription": {"text": "Mermaid: Improper sanitization of configuration leads to CSS injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6m6c-36f7-fhxh", "name": "mermaid: GHSA-6m6c-36f7-fhxh", "shortDescription": {"text": "mermaid: GHSA-6m6c-36f7-fhxh"}, "fullDescription": {"text": "Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-67mh-4wv8-2f99", "name": "esbuild: GHSA-67mh-4wv8-2f99", "shortDescription": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "fullDescription": {"text": "esbuild enables any website to send any requests to the development server and read the response"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mwcw-c2x4-8c55", "name": "nanoid: GHSA-mwcw-c2x4-8c55", "shortDescription": {"text": "nanoid: GHSA-mwcw-c2x4-8c55"}, "fullDescription": {"text": "Predictable results in nanoid generation when given non-integer values"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xxjr-mmjv-4gpg", "name": "lodash-es: GHSA-xxjr-mmjv-4gpg", "shortDescription": {"text": "lodash-es: GHSA-xxjr-mmjv-4gpg"}, "fullDescription": {"text": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash-es: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash-es: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `lambchat` image uses the latest tag", "shortDescription": {"text": "Compose service `lambchat` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC139", "name": "[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payme", "shortDescription": {"text": "[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks \u2014 exactly the surfaces that need tests \u2014 with no companion test file. AI agents rewrite handlers fluent"}, "fullDescription": {"text": "Require a companion test file for any change to auth/admin/users/payments/webhooks paths. CI gate: if `src/auth/*.py` changed in a PR, fail if `tests/auth/*.py` did not also change. For migrations, require an explicit rollback (`op.execute('-- rollback ...')`) plus a test that exercises both directions."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `_format_attachment_summary` has cognitive complexity 20 (SonarSource scal", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `_format_attachment_summary` has cognitive complexity 20 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 20."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@vitejs/plugin-react` is 2 major version(s) behind (^4.3.4 -> 6.0.2)", "shortDescription": {"text": "npm package `@vitejs/plugin-react` is 2 major version(s) behind (^4.3.4 -> 6.0.2)"}, "fullDescription": {"text": "`@vitejs/plugin-react` is pinned/resolved at ^4.3.4 but the latest stable release on the npm registry is 6.0.2 (2 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "Mutable default argument in `create_persona_preset` (list)", "shortDescription": {"text": "Mutable default argument in `create_persona_preset` (list)"}, "fullDescription": {"text": "`def create_persona_preset(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED076", "name": "[MINED076] Catch And Reraise Noop: except X: raise X \u2014 adds no value, hides traceback if AI accidentally changes message", "shortDescription": {"text": "[MINED076] Catch And Reraise Noop: except X: raise X \u2014 adds no value, hides traceback if AI accidentally changes message."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in.", "shortDescription": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 13 more): Same pattern found in 13 additional files", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 27 more): Same pattern found in 27 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 48 more): Same pattern found in 48 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 48 more): Same pattern found in 48 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 20 more): Same pattern found in 20 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 70 more): Same pattern found in 70 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 70 more): Same pattern found in 70 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 34 more): Same pattern found in 34 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "A frontend journey appears to ask for consent to share identity/KYC/biometric data, but backend code does not show a consent audit model with scope, purpose, legal text version, timestamp, IP, or user-agent evidence."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /shared/{share_id}."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /shared/{share_id}."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "GHSA-qjx8-664m-686j", "name": "js-cookie: GHSA-qjx8-664m-686j", "shortDescription": {"text": "js-cookie: GHSA-qjx8-664m-686j"}, "fullDescription": {"text": "JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5pgg-2g8v-p4x9", "name": "xlsx: GHSA-5pgg-2g8v-p4x9", "shortDescription": {"text": "xlsx: GHSA-5pgg-2g8v-p4x9"}, "fullDescription": {"text": "SheetJS Regular Expression Denial of Service (ReDoS)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-4r6h-8v6p-xvw6", "name": "xlsx: GHSA-4r6h-8v6p-xvw6", "shortDescription": {"text": "xlsx: GHSA-4r6h-8v6p-xvw6"}, "fullDescription": {"text": "Prototype Pollution in sheetJS"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash-es: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash-es: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "SEC030", "name": "[SEC030] Open Redirect \u2014 user-controlled redirect target: Redirect target is taken directly from user input without vali", "shortDescription": {"text": "[SEC030] Open Redirect \u2014 user-controlled redirect target: Redirect target is taken directly from user input without validating that the destination is local to the site. Attackers craft phishing URLs that appear to come from your domain but"}, "fullDescription": {"text": "Validate the redirect URL against an allowlist of safe destinations:\n  # Django:\n  from django.utils.http import url_has_allowed_host_and_scheme\n  if not url_has_allowed_host_and_scheme(url, allowed_hosts={request.get_host()}):\n      url = '/'  # safe default\nOr restrict to relative paths only: `if not url.startswith('/'): abort(400)`. Never accept external schemes without verification."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `frontend/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `frontend/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`frontend/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,583 bytes) committed to a repo that otherwise has 1289 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `pnpm/action-setup` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v5.0.0`", "shortDescription": {"text": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v5.0.0`"}, "fullDescription": {"text": "`.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v5.0.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `python:3.12-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `python:3.12-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "FastAPI POST /oauth/{provider}/callback has no auth", "shortDescription": {"text": "FastAPI POST /oauth/{provider}/callback has no auth"}, "fullDescription": {"text": "Handler `oauth_callback` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_validate_agent_model_access_rejects_when_role_allows_no_models", "shortDescription": {"text": "Phantom test coverage: test_validate_agent_model_access_rejects_when_role_allows_no_models"}, "fullDescription": {"text": "Test function `test_validate_agent_model_access_rejects_when_role_allows_no_models` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.start_calls` used but never assigned in __init__", "shortDescription": {"text": "`self.start_calls` used but never assigned in __init__"}, "fullDescription": {"text": "Method `start_pubsub_listener` of class `_FakeTaskManager` reads `self.start_calls`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "Blocking call `time.sleep` inside async function `test_run_blocking_io_keeps_slot_until_timed_out_call_finishes`", "shortDescription": {"text": "Blocking call `time.sleep` inside async function `test_run_blocking_io_keeps_slot_until_timed_out_call_finishes`"}, "fullDescription": {"text": "`time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "A frontend flow appears to combine a caller-controlled callback/redirect parameter with a token-bearing URL or fragment. This can exfiltrate sessions when callback validation is incomplete."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "private-key", "name": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.", "shortDescription": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "Missing import: `stat` used but not imported", "shortDescription": {"text": "Missing import: `stat` used but not imported"}, "fullDescription": {"text": "The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1182"}, "properties": {"repository": "Yanyutin753/LambChat", "repoUrl": "https://github.com/Yanyutin753/LambChat", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 118858, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 118857, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 118852, "scanner": "repobility-journey-contract", "fingerprint": "da9f2cef91e0424784739e9b132026b1626e7465afe40a0027d252646d932aff", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/upload/file", "correlation_key": "fp|da9f2cef91e0424784739e9b132026b1626e7465afe40a0027d252646d932aff", "backend_endpoint_count": 191}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/services/api/config.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 118851, "scanner": "repobility-journey-contract", "fingerprint": "fed59a0088e4c8faeadd4ad6a704fc39e12877ca3496fae888305ef1731aa6f6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/chat/sessions/{param}/stream", "correlation_key": "fp|fed59a0088e4c8faeadd4ad6a704fc39e12877ca3496fae888305ef1731aa6f6", "backend_endpoint_count": 191}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/useAgent/sseConnection.ts"}, "region": {"startLine": 142}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 118850, "scanner": "repobility-journey-contract", "fingerprint": "ff8d1b2399ba3b0f6ae2088afea63236b424e6ff9ff1d9c88329946915d2deab", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|33|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/services/api/token.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 118849, "scanner": "repobility-journey-contract", "fingerprint": "12e89d4a145a2285202c315fce6b8018eb1575bd0fed5fd2ea5030a111cf47ce", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|31|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/services/api/token.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 118848, "scanner": "repobility-journey-contract", "fingerprint": "cb6b802dea6f8cb7e5a64d016f7c4125820be48a32c588315190b347abf49744", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|24|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/services/api/token.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 118847, "scanner": "repobility-journey-contract", "fingerprint": "3d041073528d06f5670f5b7063f890575d21d3c416a3603241fbfed8ee48948e", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|17|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/services/api/token.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 118845, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 139, "file_path": "tests/api/test_skill_routes.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 224, "file_path": "tests/api/test_skill_routes.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 252, "file_path": "tests/api/test_skill_routes.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 321, "file_path": "tests/api/test_skill_routes.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 461, "file_path": "tests/api/test_skill_routes.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /export."}, "properties": {"repobilityId": 118844, "scanner": "repobility-access-control", "fingerprint": "db808ecc268a055871613fc135ba0106dcc67fd24f5042f2a9ddef3461436c89", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/export", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/mcp.py|209|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/mcp.py"}, "region": {"startLine": 209}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /import."}, "properties": {"repobilityId": 118843, "scanner": "repobility-access-control", "fingerprint": "83d631c0ee1490ab58d206fc74cad979ca7f52e8d18a32a8a6f6104dde8ad856", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/import", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/mcp.py|172|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/mcp.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /."}, "properties": {"repobilityId": 118842, "scanner": "repobility-access-control", "fingerprint": "c7ed997727e022ddd4536e4c918fc671cd6c6a4d57a3c3abb2a2dbfb2cb39ae2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/mcp.py|129|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/mcp.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /."}, "properties": {"repobilityId": 118841, "scanner": "repobility-access-control", "fingerprint": "f097f06c83bdc7a557702c723de7756fca959d5bb0455b6401ae77bdeb68ab99", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/mcp.py|106|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/mcp.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /{key}."}, "properties": {"repobilityId": 118840, "scanner": "repobility-access-control", "fingerprint": "be726bcb55015250d445553f8fe3179a717e3a40bc59e827836b81b885ea4053", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{key}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/envvar.py|143|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/envvar.py"}, "region": {"startLine": 143}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /{key}."}, "properties": {"repobilityId": 118839, "scanner": "repobility-access-control", "fingerprint": "f1aacde34f37ce485e2fc99ff6df071e86a37b7a238b85ac0a2f54df5b29d6f0", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{key}", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/envvar.py|126|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/envvar.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /{key}."}, "properties": {"repobilityId": 118838, "scanner": "repobility-access-control", "fingerprint": "93d8f52a525f3c1f37bac43cd58639398aba2fe21e328ccd3ddf7f94337eb8b3", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{key}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/envvar.py|113|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/envvar.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /all."}, "properties": {"repobilityId": 118837, "scanner": "repobility-access-control", "fingerprint": "4c3c8018ef99d994942af301e1b268a3814a68de18f53845a76c73fa7dcd8735", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/all", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/envvar.py|97|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/envvar.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /bulk."}, "properties": {"repobilityId": 118836, "scanner": "repobility-access-control", "fingerprint": "8c82d2957372a2bc801d9dc54191cbbd8644d3845a6232cbe34465fe22d43896", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/bulk", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/envvar.py|75|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/envvar.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /."}, "properties": {"repobilityId": 118835, "scanner": "repobility-access-control", "fingerprint": "e8c8efe9f5c10056bfa4619de8f4d770cf12fb5582b6fcf5422dcc83e3621e5e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/deps.py|266|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/deps.py"}, "region": {"startLine": 266}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /{team_id}."}, "properties": {"repobilityId": 118834, "scanner": "repobility-access-control", "fingerprint": "6b41e54d70bcc36ee3c6050ec4052acd6c2fc0d2aca6c8cc909339c94c69814e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{team_id}", "method": "PUT", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/team.py|69|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/team.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{team_id}."}, "properties": {"repobilityId": 118833, "scanner": "repobility-access-control", "fingerprint": "b5ef78112502a2b73a547d575e27deb114ed2ef0d0d7b7380f5093e8091c6c52", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{team_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/team.py|57|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/team.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /."}, "properties": {"repobilityId": 118832, "scanner": "repobility-access-control", "fingerprint": "7f42ecb04b8c68a18f294bc8852cf4af974420d1ec67261ec8d3fcf96839809a", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/team.py|48|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/team.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /."}, "properties": {"repobilityId": 118831, "scanner": "repobility-access-control", "fingerprint": "5bdd916b47564e442298f6bc1ece2b7c122239b046e5282bac1b7f9817e429a8", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/team.py|25|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/team.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /{feedback_id}."}, "properties": {"repobilityId": 118830, "scanner": "repobility-access-control", "fingerprint": "bce6babec32a0457d3d7def90438556ecc63e6bf2e1e8a8702c65eda436a9959", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{feedback_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/feedback.py|170|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/feedback.py"}, "region": {"startLine": 170}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /stats/{session_id}/{run_id}."}, "properties": {"repobilityId": 118829, "scanner": "repobility-access-control", "fingerprint": "e4f9cecd6a663506c78e78a1a84c40179b92f2b86d51a95f1efc3d8610496aff", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/stats/{session_id}/{run_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/feedback.py|155|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/feedback.py"}, "region": {"startLine": 155}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /by-run/{session_id}/{run_id}."}, "properties": {"repobilityId": 118828, "scanner": "repobility-access-control", "fingerprint": "ffc10d9b60bfca7e805f0f8d1e7e40f3c51586ec81e5dee619c8b6c5790241a3", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/by-run/{session_id}/{run_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/feedback.py|140|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/feedback.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /my/by-run/{session_id}/{run_id}."}, "properties": {"repobilityId": 118827, "scanner": "repobility-access-control", "fingerprint": "7a256bc208886098d8347401c471b6408bf91b6b8102a45733d3cf6c7131296e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/my/by-run/{session_id}/{run_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/feedback.py|120|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/feedback.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /stats."}, "properties": {"repobilityId": 118826, "scanner": "repobility-access-control", "fingerprint": "b861c67ad0a7de5fdf3642b9c3ad90816229aba214a7ec967627006c7ab9477e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/stats", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/feedback.py|105|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/feedback.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /."}, "properties": {"repobilityId": 118825, "scanner": "repobility-access-control", "fingerprint": "fc54047f68b74043191d710258bb58ce229426a48253933034749921fcc00b09", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/routes/feedback.py|48|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/feedback.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 118823, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["FastAPI"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-jg22-mg44-37j8", "level": "warning", "message": {"text": "aiohttp: GHSA-jg22-mg44-37j8"}, "properties": {"repobilityId": 118822, "scanner": "osv-scanner", "fingerprint": "f360dcc0eba31763fb048fbf952ff9aaacd93fae36b950018274d5457fa1322d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34993"], "package": "aiohttp", "rule_id": "GHSA-jg22-mg44-37j8", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-34993|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hg6j-4rv6-33pg", "level": "warning", "message": {"text": "aiohttp: GHSA-hg6j-4rv6-33pg"}, "properties": {"repobilityId": 118821, "scanner": "osv-scanner", "fingerprint": "2da1f8cf81a5e62587e98e266536e6b0ec96ebc178f00a59702cebb0a7957e28", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47265"], "package": "aiohttp", "rule_id": "GHSA-hg6j-4rv6-33pg", "scanner": "osv-scanner", "correlation_key": "vuln|aiohttp|CVE-2026-47265|uv.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "uv.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 118820, "scanner": "osv-scanner", "fingerprint": "a2c12e2b28152cf8b2318c26eb42f38e3894a8280e15146de8ce046c997d7d89", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xcj9-5m2h-648r", "level": "warning", "message": {"text": "mermaid: GHSA-xcj9-5m2h-648r"}, "properties": {"repobilityId": 118819, "scanner": "osv-scanner", "fingerprint": "97141b5a1f0f4f7fa5a7882d5953c7fe31fa05c97bb05b544bd6af16056b7802", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41148"], "package": "mermaid", "rule_id": "GHSA-xcj9-5m2h-648r", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41148|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ghcm-xqfw-q4vr", "level": "warning", "message": {"text": "mermaid: GHSA-ghcm-xqfw-q4vr"}, "properties": {"repobilityId": 118818, "scanner": "osv-scanner", "fingerprint": "8df4226d153b569f6b61019c7de4297e070c352da4cbec6de7e473221e206d0d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41149"], "package": "mermaid", "rule_id": "GHSA-ghcm-xqfw-q4vr", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41149|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-87f9-hvmw-gh4p", "level": "warning", "message": {"text": "mermaid: GHSA-87f9-hvmw-gh4p"}, "properties": {"repobilityId": 118817, "scanner": "osv-scanner", "fingerprint": "a14e3e4103f991b1878e2708f0f0d5004711bb95b965cfa22393103ddcd18706", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41159"], "package": "mermaid", "rule_id": "GHSA-87f9-hvmw-gh4p", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41159|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6m6c-36f7-fhxh", "level": "warning", "message": {"text": "mermaid: GHSA-6m6c-36f7-fhxh"}, "properties": {"repobilityId": 118816, "scanner": "osv-scanner", "fingerprint": "0ca8ec013fa3b02a133a9a2ab11dd8320d0dcd489b5c19a946504c2ea82200e5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41150"], "package": "mermaid", "rule_id": "GHSA-6m6c-36f7-fhxh", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41150|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67mh-4wv8-2f99", "level": "warning", "message": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "properties": {"repobilityId": 118814, "scanner": "osv-scanner", "fingerprint": "41f281ca33e7758f3ed49d251cab103d4cb0c6de82ba0c8149194ad02717accb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "esbuild", "rule_id": "GHSA-67mh-4wv8-2f99", "scanner": "osv-scanner", "correlation_key": "vuln|esbuild|GHSA-67MH-4WV8-2F99|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mwcw-c2x4-8c55", "level": "warning", "message": {"text": "nanoid: GHSA-mwcw-c2x4-8c55"}, "properties": {"repobilityId": 118811, "scanner": "osv-scanner", "fingerprint": "f911cfb5d4a2e473ecf00b6cb864cd6d39a7a3ca81c3485d11630f017ad4a715", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-55565"], "package": "nanoid", "rule_id": "GHSA-mwcw-c2x4-8c55", "scanner": "osv-scanner", "correlation_key": "vuln|nanoid|CVE-2024-55565|frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xcj9-5m2h-648r", "level": "warning", "message": {"text": "mermaid: GHSA-xcj9-5m2h-648r"}, "properties": {"repobilityId": 118810, "scanner": "osv-scanner", "fingerprint": "1feda2ff30ee8abe4e63b47053cff14ebf1df54a7cdc2614bcb1fafc3639a6f8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41148"], "package": "mermaid", "rule_id": "GHSA-xcj9-5m2h-648r", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41148|frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ghcm-xqfw-q4vr", "level": "warning", "message": {"text": "mermaid: GHSA-ghcm-xqfw-q4vr"}, "properties": {"repobilityId": 118809, "scanner": "osv-scanner", "fingerprint": "cb34b25fb5344e6dd9662b65c08ca26bd70584f4dcdbe7826567c6bb58ae9d4c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41149"], "package": "mermaid", "rule_id": "GHSA-ghcm-xqfw-q4vr", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41149|frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-87f9-hvmw-gh4p", "level": "warning", "message": {"text": "mermaid: GHSA-87f9-hvmw-gh4p"}, "properties": {"repobilityId": 118808, "scanner": "osv-scanner", "fingerprint": "63d2c42f0635e287bf257741e17b911d36e1c3892616457b111cab2b1e503cd4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41159"], "package": "mermaid", "rule_id": "GHSA-87f9-hvmw-gh4p", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41159|frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6m6c-36f7-fhxh", "level": "warning", "message": {"text": "mermaid: GHSA-6m6c-36f7-fhxh"}, "properties": {"repobilityId": 118807, "scanner": "osv-scanner", "fingerprint": "3ff88b8e4d9c1ca0f9f8dfb2c7a54c5aca565c579332a0296af02ac368241f93", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41150"], "package": "mermaid", "rule_id": "GHSA-6m6c-36f7-fhxh", "scanner": "osv-scanner", "correlation_key": "vuln|mermaid|CVE-2026-41150|frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xxjr-mmjv-4gpg", "level": "warning", "message": {"text": "lodash-es: GHSA-xxjr-mmjv-4gpg"}, "properties": {"repobilityId": 118806, "scanner": "osv-scanner", "fingerprint": "d7041d6b34bfb3f8ddf14603e1a18a1a7ee5176fcd35e41bebfe1ab9d7de724f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-13465"], "package": "lodash-es", "rule_id": "GHSA-xxjr-mmjv-4gpg", "scanner": "osv-scanner", "correlation_key": "vuln|lodash-es|CVE-2025-13465|frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash-es: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 118804, "scanner": "osv-scanner", "fingerprint": "b1a727d3dbc9e890a457866d1eaae53ac8e1664fde27404ce68fa8c0c009699e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash-es", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash-es|CVE-2026-2950|frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 118802, "scanner": "osv-scanner", "fingerprint": "93f3561e1ddef3e3b745b6488773e7bf0d920492435dbd73095e7831a67389f9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4w7w-66w2-5vf9", "level": "warning", "message": {"text": "vite: GHSA-4w7w-66w2-5vf9"}, "properties": {"repobilityId": 118801, "scanner": "osv-scanner", "fingerprint": "a355c7069e1dc4cff380e3b6746403f519f6eb97ec2379e196e3b252c4254dfb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39365"], "package": "vite", "rule_id": "GHSA-4w7w-66w2-5vf9", "scanner": "osv-scanner", "correlation_key": "vuln|vite|CVE-2026-39365|docs/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-67mh-4wv8-2f99", "level": "warning", "message": {"text": "esbuild: GHSA-67mh-4wv8-2f99"}, "properties": {"repobilityId": 118800, "scanner": "osv-scanner", "fingerprint": "9d27a7e9758e27349b8043c1bd73665046d2b555eefb09f29cdff806ba41966c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "esbuild", "rule_id": "GHSA-67mh-4wv8-2f99", "scanner": "osv-scanner", "correlation_key": "vuln|esbuild|GHSA-67MH-4WV8-2F99|docs/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `lambchat` image uses the latest tag"}, "properties": {"repobilityId": 118795, "scanner": "repobility-docker", "fingerprint": "14facf47b1a387d0d90f9d61fdae3321a52f44fe99dddf7b4510cba6a8fa37cc", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/yanyutin753/lambchat:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|14facf47b1a387d0d90f9d61fdae3321a52f44fe99dddf7b4510cba6a8fa37cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 118794, "scanner": "repobility-docker", "fingerprint": "d31c5b9292d0c88eb2eca0ec795354cf609f498070150ddf1514516e0e4077a5", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mongodb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|d31c5b9292d0c88eb2eca0ec795354cf609f498070150ddf1514516e0e4077a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 118788, "scanner": "repobility-threat-engine", "fingerprint": "4327a3ea3f11c523027f2b4f6847df42196166123653867a1c7f177becbf4457", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def _run(self, query: str) -> str:\n        raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4327a3ea3f11c523027f2b4f6847df42196166123653867a1c7f177becbf4457"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/tool/tool_search_tool.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 118779, "scanner": "repobility-threat-engine", "fingerprint": "dd18a610d59103e0b0ef6e30bd190cf67635e04e2a30b0ce3faed088faf7e114", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def build_storage_key", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|src/infra/skill/binary.py|182|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/skill/binary.py"}, "region": {"startLine": 182}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 118778, "scanner": "repobility-threat-engine", "fingerprint": "289ed968e44fd121d8e0abe1ba41d9cfd21eefc5d945816cc22a5ad623383b54", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def create_access_token", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|src/infra/auth/jwt.py|18|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/auth/jwt.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 118777, "scanner": "repobility-threat-engine", "fingerprint": "845f57fa9b18538e471d2c15b9477e4f18755a85e4c9d8028c69004d79c9cc1e", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def build_key", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|30|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/auth/rate_limiter.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC139", "level": "warning", "message": {"text": "[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks \u2014 exactly the surfaces that need tests \u2014 with no companion test file. AI agents rewrite handlers fluently but skip the test diff almost every time, leaving high-blast-radius code uncovered. Distinct from generic 'no tests' because we target sensitive surfaces where the absence of tests is itself a risk signal. CWE-1078 (missing test coverage of security-critica"}, "properties": {"repobilityId": 118775, "scanner": "repobility-threat-engine", "fingerprint": "665ac9cce693d73d936c89cc7081e9697eb578bb95c8a5b930b3fa8b0e0674f4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.put(\"/user/preference\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC139", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|665ac9cce693d73d936c89cc7081e9697eb578bb95c8a5b930b3fa8b0e0674f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/agent/config.py"}, "region": {"startLine": 323}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 118769, "scanner": "repobility-threat-engine", "fingerprint": "3c123e7d05d30c50a7aa2801b85a8c5cc8221317c782c179bfd9941332e4deaa", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3c123e7d05d30c50a7aa2801b85a8c5cc8221317c782c179bfd9941332e4deaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/project.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 118768, "scanner": "repobility-threat-engine", "fingerprint": "5cfa9fd986bf3d830b525b038f9a4a79139afb45e919ad53fb66d9c322699b52", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5cfa9fd986bf3d830b525b038f9a4a79139afb45e919ad53fb66d9c322699b52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/health.py"}, "region": {"startLine": 166}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 118767, "scanner": "repobility-threat-engine", "fingerprint": "e259c4934a660d2c1d2e8bd507de1b7b902ac060857e0c6ecc39ea69e36dd574", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e259c4934a660d2c1d2e8bd507de1b7b902ac060857e0c6ecc39ea69e36dd574"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/middleware/user_context.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 118765, "scanner": "repobility-threat-engine", "fingerprint": "e822e30045272b31452ffa9419b659447c0b7a73a23f26bddd14e6ec7724801e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n            project_dict = await self.collection.find_one(\n                {\"_id\": ObjectId(pro", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e822e30045272b31452ffa9419b659447c0b7a73a23f26bddd14e6ec7724801e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/folder/storage.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 118764, "scanner": "repobility-threat-engine", "fingerprint": "287fc57939bec118ba9b63f2a7ee8e651c68aab9ba838e67f77a6baec6e29093", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                pass  # Skip", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|287fc57939bec118ba9b63f2a7ee8e651c68aab9ba838e67f77a6baec6e29093"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/channel/feishu/markdown.py"}, "region": {"startLine": 155}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 118763, "scanner": "repobility-threat-engine", "fingerprint": "de423b7bd18067a6cbec768373d9209980e22cb21cb851564d45cc1080fe1193", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n        cached = getattr(request.state, \"current_user\", None)\n        if isinstance(cached, Tok", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de423b7bd18067a6cbec768373d9209980e22cb21cb851564d45cc1080fe1193"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/deps.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 118761, "scanner": "repobility-threat-engine", "fingerprint": "9979a85aee5fc1b264203781797214558147dc94eafa184ce6e89cb14bc2cedb", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.info(f\"[WebSocket] Auth successful: user_id={user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9979a85aee5fc1b264203781797214558147dc94eafa184ce6e89cb14bc2cedb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/websocket.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 118760, "scanner": "repobility-threat-engine", "fingerprint": "1692f990666f710bd5ac65703aa49c2b165506811c38164a858759d807d95bed", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.warning(f\"Duplicate feedback for user {user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1692f990666f710bd5ac65703aa49c2b165506811c38164a858759d807d95bed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/feedback.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 118759, "scanner": "repobility-threat-engine", "fingerprint": "c033a85f9c6c0eff96566b89f98fa3994c3a28494d93f88c495cb1daa02e77d6", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.warning(f\"[WebSocket] User not found: {user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c033a85f9c6c0eff96566b89f98fa3994c3a28494d93f88c495cb1daa02e77d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/deps.py"}, "region": {"startLine": 227}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `_format_attachment_summary` has cognitive complexity 20 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, elif=1, else=1, for=1, if=6, nested_bonus=8, or=2."}, "properties": {"repobilityId": 118749, "scanner": "repobility-threat-engine", "fingerprint": "f819e3901a74ffdac8bc735be21904e5a26164054c53f0055bcdbd7d2dd9dcbc", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 20 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "_format_attachment_summary", "breakdown": {"if": 6, "or": 2, "for": 1, "elif": 1, "else": 1, "continue": 1, "nested_bonus": 8}, "complexity": 20, "correlation_key": "fp|f819e3901a74ffdac8bc735be21904e5a26164054c53f0055bcdbd7d2dd9dcbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/core/node_utils.py"}, "region": {"startLine": 217}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 118736, "scanner": "repobility-threat-engine", "fingerprint": "ca09648fe565e5938612caa7aa26ddacf1d4ee4a164a8788f1a1f7f5e6dda94d", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = buildOAuthLoginUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ca09648fe565e5938612caa7aa26ddacf1d4ee4a164a8788f1a1f7f5e6dda94d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/useAuth.tsx"}, "region": {"startLine": 259}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 118730, "scanner": "repobility-threat-engine", "fingerprint": "0195a85c331145ec0965ca03382adb9864e6d48b894e4a83f303adb13909ef3b", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(versionInfo.release_url, \"_blank\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|31|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/common/AboutDialog.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 118715, "scanner": "repobility-threat-engine", "fingerprint": "f08d196e6fd766d158bf9e6fc134e239aaae3b405f47ed45b2c5b349547aab2d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f08d196e6fd766d158bf9e6fc134e239aaae3b405f47ed45b2c5b349547aab2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/fileLibrary/RevealedFilesPanel.tsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 118714, "scanner": "repobility-threat-engine", "fingerprint": "321c2232ba357061819ecab029d0c5bd668546e4559ec603c95fb799a66956d0", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|321c2232ba357061819ecab029d0c5bd668546e4559ec603c95fb799a66956d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/common/LanguageToggle.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 118713, "scanner": "repobility-threat-engine", "fingerprint": "c6ef7e500d0b1522beb7fd951e7362a216e2297f8a2313f2873c560df821cba6", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c6ef7e500d0b1522beb7fd951e7362a216e2297f8a2313f2873c560df821cba6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatInputToolbar.tsx"}, "region": {"startLine": 117}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 118695, "scanner": "repobility-threat-engine", "fingerprint": "ed5dc15004116685ea2fe8d62451df272c4fc8de6f12d74d1a6dd1d638784480", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|32|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/useAgent/goalCommands.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 118694, "scanner": "repobility-threat-engine", "fingerprint": "663a86f8d582a4f54c593048967ccd4464a740d49d75637364454dba4ff8193d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|111|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/extract-i18n.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 118689, "scanner": "repobility-agent-runtime", "fingerprint": "57c1d4a1b16ab0e9bcc0efda47333ce23d8dea59c23861bb5078c9fcc69081fd", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|57c1d4a1b16ab0e9bcc0efda47333ce23d8dea59c23861bb5078c9fcc69081fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/create_daytona_snapshot.py"}, "region": {"startLine": 227}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 118688, "scanner": "repobility-agent-runtime", "fingerprint": "9ed8984152d0072edbc49a3d3c6f2fe6f650ebb5740e3033a9e828fce4d0f351", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|9ed8984152d0072edbc49a3d3c6f2fe6f650ebb5740e3033a9e828fce4d0f351"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/vite.config.ts"}, "region": {"startLine": 166}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 118687, "scanner": "repobility-agent-runtime", "fingerprint": "1dcef169ba0cc7ce5b239d7a2ca117a9376e52c5aa8ec90a413a7fb3e121ee56", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|1dcef169ba0cc7ce5b239d7a2ca117a9376e52c5aa8ec90a413a7fb3e121ee56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/useSessionConfig.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 118686, "scanner": "repobility-agent-runtime", "fingerprint": "91700d9f4d70b65302824dac17bcefe8961621c7878a5a7d38e1d726d884c17d", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|91700d9f4d70b65302824dac17bcefe8961621c7878a5a7d38e1d726d884c17d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/useInputHistory.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 118685, "scanner": "repobility-agent-runtime", "fingerprint": "3baef3ec00539d9da561a50c946315b31782e5b45576b56afe2db683fdb59ba0", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|3baef3ec00539d9da561a50c946315b31782e5b45576b56afe2db683fdb59ba0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/persona/usePersonaPlaza.ts"}, "region": {"startLine": 167}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@vitejs/plugin-react` is 2 major version(s) behind (^4.3.4 -> 6.0.2)"}, "properties": {"repobilityId": 118682, "scanner": "repobility-dependency-currency", "fingerprint": "8af64a8b38bba388ef02bef93691566c028d9aef93e9afe8ac1d16651469fea6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitejs/plugin-react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.2", "correlation_key": "fp|8af64a8b38bba388ef02bef93691566c028d9aef93e9afe8ac1d16651469fea6", "current_version": "^4.3.4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@eslint/js` is 1 major version(s) behind (^9.17.0 -> 10.0.1)"}, "properties": {"repobilityId": 118680, "scanner": "repobility-dependency-currency", "fingerprint": "8d886bcf8ecbf151341b30f0dccfd1c70829c66f4d0d3280c02fbf589eb85373", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@eslint/js", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.0.1", "correlation_key": "fp|8d886bcf8ecbf151341b30f0dccfd1c70829c66f4d0d3280c02fbf589eb85373", "current_version": "^9.17.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `react-markdown` is 1 major version(s) behind (^9.0.1 -> 10.1.0)"}, "properties": {"repobilityId": 118676, "scanner": "repobility-dependency-currency", "fingerprint": "bc743c405bc7467c51ffc994e0606d5159d454df5f05def38c449e44fc3a6070", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-markdown", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.1.0", "correlation_key": "fp|bc743c405bc7467c51ffc994e0606d5159d454df5f05def38c449e44fc3a6070", "current_version": "^9.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "Mutable default argument in `create_persona_preset` (list)"}, "properties": {"repobilityId": 118610, "scanner": "repobility-ast-engine", "fingerprint": "5983a495830c9e732025fcf9f53009857c96f71fe7456bf92aeefc844a733d17", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5983a495830c9e732025fcf9f53009857c96f71fe7456bf92aeefc844a733d17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/tool/persona_preset_tool.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118609, "scanner": "repobility-ast-engine", "fingerprint": "715bed3c77aeffec572831927bf888a9b4fc248ca0842a1fb2d9178046aa6531", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|715bed3c77aeffec572831927bf888a9b4fc248ca0842a1fb2d9178046aa6531"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/persona_preset/storage.py"}, "region": {"startLine": 331}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118608, "scanner": "repobility-ast-engine", "fingerprint": "4d4bed413e34786b11ef6d4e71eedc834a4a64a9a566845c87959ae2ff86cb51", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4d4bed413e34786b11ef6d4e71eedc834a4a64a9a566845c87959ae2ff86cb51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/persona_preset/storage.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118607, "scanner": "repobility-ast-engine", "fingerprint": "44df188281eefd18557f355605615554520f0bf15dd79ceb1e02d901028f952e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|44df188281eefd18557f355605615554520f0bf15dd79ceb1e02d901028f952e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/role/storage.py"}, "region": {"startLine": 441}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118606, "scanner": "repobility-ast-engine", "fingerprint": "f9b9cd7a73fcffd0b802fcaa15083f5de40bde7044ce2da2934a474e3b987e23", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f9b9cd7a73fcffd0b802fcaa15083f5de40bde7044ce2da2934a474e3b987e23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/role/storage.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118605, "scanner": "repobility-ast-engine", "fingerprint": "b5e0fe611fe858e7a6ed7148ed9e5a20d180790661e5855ebbb9aeec63ef83f2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b5e0fe611fe858e7a6ed7148ed9e5a20d180790661e5855ebbb9aeec63ef83f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/core/recommendations.py"}, "region": {"startLine": 447}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118604, "scanner": "repobility-ast-engine", "fingerprint": "05642118367f6204fd87f7d682c53ea73f24dff15fb3ed7626ff5c9c486e9611", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|05642118367f6204fd87f7d682c53ea73f24dff15fb3ed7626ff5c9c486e9611"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/core/recommendations.py"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118603, "scanner": "repobility-ast-engine", "fingerprint": "24c31a40b37fc7ccf9fc23775093dca523a38553dc2af8c940440ab369a2832e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|24c31a40b37fc7ccf9fc23775093dca523a38553dc2af8c940440ab369a2832e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/core/base.py"}, "region": {"startLine": 434}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118602, "scanner": "repobility-ast-engine", "fingerprint": "8edc02cf98dbf5f17ed38041c14f104d0cf1b6aa4775746739a740972a338712", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8edc02cf98dbf5f17ed38041c14f104d0cf1b6aa4775746739a740972a338712"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/core/base.py"}, "region": {"startLine": 870}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118601, "scanner": "repobility-ast-engine", "fingerprint": "3dc8b5926604ad7b2055362d11b37ea82f55ddaf99d16cc16b235c2cb02e3efc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3dc8b5926604ad7b2055362d11b37ea82f55ddaf99d16cc16b235c2cb02e3efc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/channels.py"}, "region": {"startLine": 642}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118600, "scanner": "repobility-ast-engine", "fingerprint": "178a19302e63a30e676bc805d8b57683b7526366a83904c4efa88cc739a97ae2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|178a19302e63a30e676bc805d8b57683b7526366a83904c4efa88cc739a97ae2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/skill.py"}, "region": {"startLine": 650}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118599, "scanner": "repobility-ast-engine", "fingerprint": "3a70417940adc2f803557394f095a845d3abfd1ff59f624409f5818ce8accab2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a70417940adc2f803557394f095a845d3abfd1ff59f624409f5818ce8accab2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/skill.py"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118598, "scanner": "repobility-ast-engine", "fingerprint": "0b4606db4840ccf787e4f456b52ddf3825da6dc8c4b2d7fe4cdd59dbdc8ad6e6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b4606db4840ccf787e4f456b52ddf3825da6dc8c4b2d7fe4cdd59dbdc8ad6e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/session.py"}, "region": {"startLine": 765}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118597, "scanner": "repobility-ast-engine", "fingerprint": "787c59f15cebddab76e2b9d80df04c1dc77265703b34139642c3d83786efff4e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|787c59f15cebddab76e2b9d80df04c1dc77265703b34139642c3d83786efff4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/skill_uploads.py"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118596, "scanner": "repobility-ast-engine", "fingerprint": "7418dac686f19e9d2f9cf39ead372f993ddbd27e7826dbaec4a1b3d934d8aa56", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7418dac686f19e9d2f9cf39ead372f993ddbd27e7826dbaec4a1b3d934d8aa56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/upload.py"}, "region": {"startLine": 872}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118595, "scanner": "repobility-ast-engine", "fingerprint": "df6260ef1b60f9ac615cc016edf4a540784e0a13df487302fff3975274539632", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|df6260ef1b60f9ac615cc016edf4a540784e0a13df487302fff3975274539632"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/upload.py"}, "region": {"startLine": 860}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118593, "scanner": "repobility-ast-engine", "fingerprint": "20b70df8f379e85be603c416c6ab55d8e3dc5a846dc2dbf32c634b6953f08824", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|20b70df8f379e85be603c416c6ab55d8e3dc5a846dc2dbf32c634b6953f08824"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/deps.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118592, "scanner": "repobility-ast-engine", "fingerprint": "97353074565bdbc6661c49ff293177f64e6e9423445f1d8e95d0ea552ebbc426", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|97353074565bdbc6661c49ff293177f64e6e9423445f1d8e95d0ea552ebbc426"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/github_client.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118591, "scanner": "repobility-ast-engine", "fingerprint": "5b5185eb58ae272bb38f82dd1139c3621ef3d57ace2ed93c567a1fff486c636b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5b5185eb58ae272bb38f82dd1139c3621ef3d57ace2ed93c567a1fff486c636b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/goal.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118590, "scanner": "repobility-ast-engine", "fingerprint": "660c73777bd6264e27cc6941a19df694e132532d210b6b9694f4d6409ae4e317", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|660c73777bd6264e27cc6941a19df694e132532d210b6b9694f4d6409ae4e317"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/goal.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118589, "scanner": "repobility-ast-engine", "fingerprint": "1e54dae59da7365eb56614b24bb9db76f73f9d4e82d6c327d4f5d95d86170acc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1e54dae59da7365eb56614b24bb9db76f73f9d4e82d6c327d4f5d95d86170acc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/goal.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118588, "scanner": "repobility-ast-engine", "fingerprint": "70c1d456ffdcea9572730580375ffbe2a20e02903f7c336d3dd005279883fd3e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|70c1d456ffdcea9572730580375ffbe2a20e02903f7c336d3dd005279883fd3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/goal.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118587, "scanner": "repobility-ast-engine", "fingerprint": "de804d9c4c46759ecd7150cc369a932f5bdc5c60e95390a7a5414fab35ed4b33", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de804d9c4c46759ecd7150cc369a932f5bdc5c60e95390a7a5414fab35ed4b33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/kernel/version_utils.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118581, "scanner": "repobility-ast-engine", "fingerprint": "1cb0e93e1efc16748347ccc14fa24bd533be5e36520a386c04efd63d27caddc6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1cb0e93e1efc16748347ccc14fa24bd533be5e36520a386c04efd63d27caddc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/routes/conftest.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118531, "scanner": "repobility-ast-engine", "fingerprint": "960d7a287a5a9ae786f86a1392c36ae52cddf3bbd935757ea486d6436770c0e8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|960d7a287a5a9ae786f86a1392c36ae52cddf3bbd935757ea486d6436770c0e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/create_e2b_template.py"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 118530, "scanner": "repobility-ast-engine", "fingerprint": "7ef282d89ea6889b7f27f9fcfa12b3e685ad7ab6327c660ac529b754c354af22", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7ef282d89ea6889b7f27f9fcfa12b3e685ad7ab6327c660ac529b754c354af22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/create_daytona_snapshot.py"}, "region": {"startLine": 259}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 118856, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 118855, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 118798, "scanner": "repobility-docker", "fingerprint": "bf34bc3a30426009e308d5e6b5f27dd8195c1a70b75a821f6788027975903c63", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "lambchat", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|bf34bc3a30426009e308d5e6b5f27dd8195c1a70b75a821f6788027975903c63", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 118797, "scanner": "repobility-docker", "fingerprint": "c0fb73ea80136d100823cd5d99ace4169e93e315df5c9f7aa7595220917992fa", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "lambchat", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c0fb73ea80136d100823cd5d99ace4169e93e315df5c9f7aa7595220917992fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 118796, "scanner": "repobility-docker", "fingerprint": "326354e6f5c76afdbf7babe8ecf382d23ce05d6c6561ef839ea4cdfc3a5a7007", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "lambchat", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|326354e6f5c76afdbf7babe8ecf382d23ce05d6c6561ef839ea4cdfc3a5a7007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 118792, "scanner": "repobility-docker", "fingerprint": "77ab77a2986ed2fec307e06fbce205517b49f69d5624fb50f9cec46cf91ce15f", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|77ab77a2986ed2fec307e06fbce205517b49f69d5624fb50f9cec46cf91ce15f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 118790, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, except=2, if=6, or=1."}, "properties": {"repobilityId": 118747, "scanner": "repobility-threat-engine", "fingerprint": "7b090274cb3ce8b91ee1132059761a157cca6fb9e817d8321f40775c2338fa5b", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 6, "or": 1, "else": 1, "except": 2}, "complexity": 10, "correlation_key": "fp|7b090274cb3ce8b91ee1132059761a157cca6fb9e817d8321f40775c2338fa5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/create_daytona_snapshot.py"}, "region": {"startLine": 179}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 118735, "scanner": "repobility-threat-engine", "fingerprint": "0caf2a976197d26085649f57316e5c2066cc17dd9fcabb7ca4e8c4accea93e8e", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|81|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/usePasteHandler.tsx"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 118734, "scanner": "repobility-threat-engine", "fingerprint": "e3aa806e16a1514228737d697a11879ab051dfa2526010f8fac29a93a4a4abb7", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = s", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|203|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/documents/previews/PptPreview.tsx"}, "region": {"startLine": 203}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `eslint-plugin-react-refresh` is minor version(s) behind (^0.4.16 -> 0.5.2)"}, "properties": {"repobilityId": 118684, "scanner": "repobility-dependency-currency", "fingerprint": "439c82585678d408239d555784fb4f9c8983d45d9f959cd02908d9e99e862044", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "eslint-plugin-react-refresh", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.5.2", "correlation_key": "fp|439c82585678d408239d555784fb4f9c8983d45d9f959cd02908d9e99e862044", "current_version": "^0.4.16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `autoprefixer` is minor version(s) behind (^10.4.20 -> 10.5.0)"}, "properties": {"repobilityId": 118683, "scanner": "repobility-dependency-currency", "fingerprint": "431a0afff353f9c041a3f8077e3747f50d3fe1a3a3864152e8f6631a97755e4a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "autoprefixer", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.5.0", "correlation_key": "fp|431a0afff353f9c041a3f8077e3747f50d3fe1a3a3864152e8f6631a97755e4a", "current_version": "^10.4.20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/react-dom` is minor version(s) behind (^19.0.2 -> 19.2.3)"}, "properties": {"repobilityId": 118681, "scanner": "repobility-dependency-currency", "fingerprint": "d2fa113cd2eb9d905d09e50c7bf822393ae91c734633118598757ded6972ef58", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/react-dom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "19.2.3", "correlation_key": "fp|d2fa113cd2eb9d905d09e50c7bf822393ae91c734633118598757ded6972ef58", "current_version": "^19.0.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `mermaid` is minor version(s) behind (^11.12.3 -> 11.15.0)"}, "properties": {"repobilityId": 118675, "scanner": "repobility-dependency-currency", "fingerprint": "771ed9360ca358a9e33b907d72a3df018eaa60a49eb67cbe8621b66cbe879c3a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "mermaid", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.15.0", "correlation_key": "fp|771ed9360ca358a9e33b907d72a3df018eaa60a49eb67cbe8621b66cbe879c3a", "current_version": "^11.12.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `mammoth` is minor version(s) behind (^1.8.0 -> 1.12.0)"}, "properties": {"repobilityId": 118674, "scanner": "repobility-dependency-currency", "fingerprint": "5b42d949fa3c381301001b16cb30c6e3515709ecb50af576d62aed04b9e2bae5", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "mammoth", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.12.0", "correlation_key": "fp|5b42d949fa3c381301001b16cb30c6e3515709ecb50af576d62aed04b9e2bae5", "current_version": "^1.8.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `katex` is minor version(s) behind (^0.16.32 -> 0.17.0)"}, "properties": {"repobilityId": 118673, "scanner": "repobility-dependency-currency", "fingerprint": "eba14c77261cc8db72ba3ff6f7ce40119789b0063b2646dd36826e90db128908", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "katex", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.17.0", "correlation_key": "fp|eba14c77261cc8db72ba3ff6f7ce40119789b0063b2646dd36826e90db128908", "current_version": "^0.16.32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `dompurify` is minor version(s) behind (^3.3.2 -> 3.4.8)"}, "properties": {"repobilityId": 118672, "scanner": "repobility-dependency-currency", "fingerprint": "7bf32da4a83245ab9041a62cb7803c6d5a9adfde9bc31309b8daaa769f446f5b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "dompurify", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.4.8", "correlation_key": "fp|7bf32da4a83245ab9041a62cb7803c6d5a9adfde9bc31309b8daaa769f446f5b", "current_version": "^3.3.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@xyflow/react` is minor version(s) behind (^12.10.2 -> 12.11.0)"}, "properties": {"repobilityId": 118671, "scanner": "repobility-dependency-currency", "fingerprint": "bacde0538fbca293c397af41c7446406cc261834c4e2a44da421eb285f506877", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@xyflow/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "12.11.0", "correlation_key": "fp|bacde0538fbca293c397af41c7446406cc261834c4e2a44da421eb285f506877", "current_version": "^12.10.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/dompurify` is minor version(s) behind (^3.0.5 -> 3.2.0)"}, "properties": {"repobilityId": 118669, "scanner": "repobility-dependency-currency", "fingerprint": "ea6d1e87275508b4247c6313e002bc255427b0f6b55907eba82e84d1e6cdb61c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/dompurify", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.2.0", "correlation_key": "fp|ea6d1e87275508b4247c6313e002bc255427b0f6b55907eba82e84d1e6cdb61c", "current_version": "^3.0.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@lobehub/icons-static-svg` is minor version(s) behind (^1.84.0 -> 1.91.0)"}, "properties": {"repobilityId": 118668, "scanner": "repobility-dependency-currency", "fingerprint": "f337ecc1a9b628080a9e38a66dcc3cfb4f0d1d6663b3bf1874496f3275733065", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@lobehub/icons-static-svg", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.91.0", "correlation_key": "fp|f337ecc1a9b628080a9e38a66dcc3cfb4f0d1d6663b3bf1874496f3275733065", "current_version": "^1.84.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@lobehub/icons` is minor version(s) behind (^5.2.0 -> 5.10.0)"}, "properties": {"repobilityId": 118667, "scanner": "repobility-dependency-currency", "fingerprint": "23ffcef538fee663dbff9874958d30952f3c8e6059c86f1a2a2fc024b8bd9cb2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@lobehub/icons", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.10.0", "correlation_key": "fp|23ffcef538fee663dbff9874958d30952f3c8e6059c86f1a2a2fc024b8bd9cb2", "current_version": "^5.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@codemirror/view` is minor version(s) behind (^6.42.0 -> 6.43.0)"}, "properties": {"repobilityId": 118665, "scanner": "repobility-dependency-currency", "fingerprint": "8c88209ea3dbdb8940308735fc41469f74f17e651a47f22791828148b6f453dd", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@codemirror/view", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.43.0", "correlation_key": "fp|8c88209ea3dbdb8940308735fc41469f74f17e651a47f22791828148b6f453dd", "current_version": "^6.42.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `mermaid` is minor version(s) behind (^11.14.0 -> 11.15.0)"}, "properties": {"repobilityId": 118661, "scanner": "repobility-dependency-currency", "fingerprint": "558e594e683d28646e3a137767484d1b01352774df60140bee5802a8b1ad9073", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "mermaid", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "11.15.0", "correlation_key": "fp|558e594e683d28646e3a137767484d1b01352774df60140bee5802a8b1ad9073", "current_version": "^11.14.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@lobehub/icons` is minor version(s) behind (^5.2.0 -> 5.10.0)"}, "properties": {"repobilityId": 118660, "scanner": "repobility-dependency-currency", "fingerprint": "fd373bd8d12f654a80b6bf946ba6acf61e4c5e9430a4f9d4512da283d286ac13", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@lobehub/icons", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.10.0", "correlation_key": "fp|fd373bd8d12f654a80b6bf946ba6acf61e4c5e9430a4f9d4512da283d286ac13", "current_version": "^5.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118529, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d82509f435fa307dc3608548b7276615f00ff282050711e58b6939d869d685ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/panels/MemoryPanel/DetailModal.tsx", "duplicate_line": 130, "correlation_key": "fp|d82509f435fa307dc3608548b7276615f00ff282050711e58b6939d869d685ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/panels/MemoryPanel/MemoryEditor.tsx"}, "region": {"startLine": 243}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118528, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e306cc6d8ade68c92f9e5196827d4db818d39ceef7404de56ae6bff389a60a03", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/mcp/MCPServerForm.tsx", "duplicate_line": 304, "correlation_key": "fp|e306cc6d8ade68c92f9e5196827d4db818d39ceef7404de56ae6bff389a60a03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/panels/MCPPanel.tsx"}, "region": {"startLine": 467}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118527, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b3adb62e19305a760b085a1c48d06c4e596243a611069a4be0d9e21fcdd34365", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/panels/AgentModelPanel/AgentSection.tsx", "duplicate_line": 19, "correlation_key": "fp|b3adb62e19305a760b085a1c48d06c4e596243a611069a4be0d9e21fcdd34365"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/panels/AgentPanel/AgentConfigPanel.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118526, "scanner": "repobility-ai-code-hygiene", "fingerprint": "95dd0bca82e1639e405b62684c539d6b5671a37a6a4fd327b729523b29f67097", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/mcp/EnvKeysSelector.tsx", "duplicate_line": 35, "correlation_key": "fp|95dd0bca82e1639e405b62684c539d6b5671a37a6a4fd327b729523b29f67097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/mcp/RoleSelector.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118525, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e9fa504b6e4275a3922d222ca6ba9ffc3977ad5493b2460d2ec10deaca4492d1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/mcp/MCPServerToolsSidebar.tsx", "duplicate_line": 11, "correlation_key": "fp|e9fa504b6e4275a3922d222ca6ba9ffc3977ad5493b2460d2ec10deaca4492d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/mcp/MCPToolPolicyEditor.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118524, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a8d32896bdce9c0cf18a55d3c5a034841ff8919dd7eb47e9209018d479de1dd6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/MarkdownContent.tsx", "duplicate_line": 371, "correlation_key": "fp|a8d32896bdce9c0cf18a55d3c5a034841ff8919dd7eb47e9209018d479de1dd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/layout/AppContent/useRevealPreview.ts"}, "region": {"startLine": 159}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118523, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5213d1e5b9faf3c559e3145e6c093932007f664c8def0a19b7db3ea696671ef9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/layout/AppContent/AppShell.tsx", "duplicate_line": 57, "correlation_key": "fp|5213d1e5b9faf3c559e3145e6c093932007f664c8def0a19b7db3ea696671ef9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/layout/AppContent/Header.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118522, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4aa54ecacdb82d79a1aa07bc1bb18509f88711fad3156e2af80fed9628866dd6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/documents/DocumentPreviewContent.tsx", "duplicate_line": 66, "correlation_key": "fp|4aa54ecacdb82d79a1aa07bc1bb18509f88711fad3156e2af80fed9628866dd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/documents/useDocumentPreviewState.ts"}, "region": {"startLine": 459}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118521, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d80348911e73c97555278e9a698fc710113136706ac937f2b7963fc5dc05d701", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/MermaidDiagram.tsx", "duplicate_line": 48, "correlation_key": "fp|d80348911e73c97555278e9a698fc710113136706ac937f2b7963fc5dc05d701"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/documents/previews/MermaidDiagram.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118520, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c8304991e72545d8721a9b56b6bf947e613f0c8619c25c941ed391cd2a8b877b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/common/ImageViewer.tsx", "duplicate_line": 85, "correlation_key": "fp|c8304991e72545d8721a9b56b6bf947e613f0c8619c25c941ed391cd2a8b877b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/documents/previews/ExcalidrawPreview.tsx"}, "region": {"startLine": 194}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118519, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4c79f5362815caf770d98a1d76c3072174a188a27f66a3ea0e9fd5ae63d45df9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/MermaidDiagram.tsx", "duplicate_line": 503, "correlation_key": "fp|4c79f5362815caf770d98a1d76c3072174a188a27f66a3ea0e9fd5ae63d45df9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/documents/previews/ExcalidrawPreview.tsx"}, "region": {"startLine": 177}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118518, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a7c29b87dcaaf5e996c3e40d176d91f626038faf137c5301138371d3f3445585", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/common/ImageViewer.tsx", "duplicate_line": 221, "correlation_key": "fp|a7c29b87dcaaf5e996c3e40d176d91f626038faf137c5301138371d3f3445585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/common/VideoViewer.tsx"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118517, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9238dbf6a7667d70c854ba9f7c8ae8e6568b406246f3e85325157d921e11f819", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/MentionPopup.tsx", "duplicate_line": 21, "correlation_key": "fp|9238dbf6a7667d70c854ba9f7c8ae8e6568b406246f3e85325157d921e11f819"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/TeamMentionPopup.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118516, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cb71708ab1023829fda31b7d14e7f416d1932e4512ef78d67226bce9ee2dfcf4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/items/EditFileItem.tsx", "duplicate_line": 9, "correlation_key": "fp|cb71708ab1023829fda31b7d14e7f416d1932e4512ef78d67226bce9ee2dfcf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/WriteFileItem.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118515, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c9156013be29f43d4f3ea8964146a4a54244dd0bd998840e1b9bfb435afa0629", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/items/EditFileItem.tsx", "duplicate_line": 9, "correlation_key": "fp|c9156013be29f43d4f3ea8964146a4a54244dd0bd998840e1b9bfb435afa0629"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/ReadFileItem.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118514, "scanner": "repobility-ai-code-hygiene", "fingerprint": "11463d225ad3013e5035ffedbdfcd565369c1dff01d85aa024137b05fa97c4a6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/items/EditFileItem.tsx", "duplicate_line": 22, "correlation_key": "fp|11463d225ad3013e5035ffedbdfcd565369c1dff01d85aa024137b05fa97c4a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/ProjectRevealItem.tsx"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118513, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a8b9b3d90c8b4acf78a095f65af5f4c7d35694e7c14394f8aea1aa62b169cc45", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/items/FileRevealItem.tsx", "duplicate_line": 70, "correlation_key": "fp|a8b9b3d90c8b4acf78a095f65af5f4c7d35694e7c14394f8aea1aa62b169cc45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/ProjectRevealItem.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118512, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6ca79ad19a9988879e8bc9c92dc8a0c8b5ef77d0732547af1fca4b2861723551", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/items/GlobItem.tsx", "duplicate_line": 96, "correlation_key": "fp|6ca79ad19a9988879e8bc9c92dc8a0c8b5ef77d0732547af1fca4b2861723551"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/LsItem.tsx"}, "region": {"startLine": 93}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118511, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fd8118b0daaa092f0a9d8be9505840a8b3941a361a23a151aa30f0115c73841b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/items/EditFileItem.tsx", "duplicate_line": 9, "correlation_key": "fp|fd8118b0daaa092f0a9d8be9505840a8b3941a361a23a151aa30f0115c73841b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/LsItem.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118510, "scanner": "repobility-ai-code-hygiene", "fingerprint": "721a74e631be5fb8015847416eb6e06767e834d2d5840827cd4cd3cffe07ed42", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/items/GlobItem.tsx", "duplicate_line": 31, "correlation_key": "fp|721a74e631be5fb8015847416eb6e06767e834d2d5840827cd4cd3cffe07ed42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/GrepItem.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118509, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f2041c285dbaa119e668e20541d36ad37e1881726458d8feeea6c10b3f0b4bac", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/items/EditFileItem.tsx", "duplicate_line": 9, "correlation_key": "fp|f2041c285dbaa119e668e20541d36ad37e1881726458d8feeea6c10b3f0b4bac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/GrepItem.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118508, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1a99718b71c9a25b9e322839b52cf500f731338756543e006733181a03b81ad0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/items/EditFileItem.tsx", "duplicate_line": 9, "correlation_key": "fp|1a99718b71c9a25b9e322839b52cf500f731338756543e006733181a03b81ad0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/GlobItem.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118507, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1536ba8fe7b1ed4b20d01aadba70e0bc04a53da70db5f387aebc4588863a597b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/RevealArtifactsSummary.tsx", "duplicate_line": 20, "correlation_key": "fp|1536ba8fe7b1ed4b20d01aadba70e0bc04a53da70db5f387aebc4588863a597b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/FileTreeView.tsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118506, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06b17ff8b67b71096a806d40f280868cbd61fd7d08980f9ba890fbe58b2563ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/items/EditFileItem.tsx", "duplicate_line": 22, "correlation_key": "fp|06b17ff8b67b71096a806d40f280868cbd61fd7d08980f9ba890fbe58b2563ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/FileRevealItem.tsx"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118505, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1f72b93840656b769bd8c0571923db7dc09c0843baba367d1d15f6f1bae379fa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/items/EditFileItem.tsx", "duplicate_line": 9, "correlation_key": "fp|1f72b93840656b769bd8c0571923db7dc09c0843baba367d1d15f6f1bae379fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/ExecuteItem.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118504, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c5325579116d4bfd1ae4840de1f6402b4b107b76ea7b20994c535388b3e789d4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/chat/ChatMessage/SubagentBlocks.tsx", "duplicate_line": 522, "correlation_key": "fp|c5325579116d4bfd1ae4840de1f6402b4b107b76ea7b20994c535388b3e789d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/SummaryItem.tsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118503, "scanner": "repobility-ai-code-hygiene", "fingerprint": "55c67acd91b74cbc39d34b43216e85a05120d372f9564ff3e5b4cf5b227500b4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/auth/AuthLayout.tsx", "duplicate_line": 31, "correlation_key": "fp|55c67acd91b74cbc39d34b43216e85a05120d372f9564ff3e5b4cf5b227500b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/auth/ResetPassword.tsx"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118502, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1761b8ea79f8551da867d06da13632462943b5125da84db26211427e7d36b91d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/auth/ForgotPassword.tsx", "duplicate_line": 40, "correlation_key": "fp|1761b8ea79f8551da867d06da13632462943b5125da84db26211427e7d36b91d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/auth/ResetPassword.tsx"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118501, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83189aef607a29a373596b58c25ce7f40bb71e299076c0125d16a6e1eb704e40", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/auth/AuthLayout.tsx", "duplicate_line": 31, "correlation_key": "fp|83189aef607a29a373596b58c25ce7f40bb71e299076c0125d16a6e1eb704e40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/auth/ForgotPassword.tsx"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 118500, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25207f0003da7413a4c082eae6aa6552bcba5408718b405ccdcd137f4e32ec80", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/auth/AuthLayout.tsx", "duplicate_line": 21, "correlation_key": "fp|25207f0003da7413a4c082eae6aa6552bcba5408718b405ccdcd137f4e32ec80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/auth/AuthPage.tsx"}, "region": {"startLine": 274}}}]}, {"ruleId": "MINED076", "level": "none", "message": {"text": "[MINED076] Catch And Reraise Noop: except X: raise X \u2014 adds no value, hides traceback if AI accidentally changes message."}, "properties": {"repobilityId": 118789, "scanner": "repobility-threat-engine", "fingerprint": "3a2ca8da072a36d1cd3c5749317b5c839a996a343da24fc4394c3e9a8e6bbef0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "catch-and-reraise-noop", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348079+00:00", "triaged_in_corpus": 10, "observations_count": 8333, "ai_coder_pattern_id": 45}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a2ca8da072a36d1cd3c5749317b5c839a996a343da24fc4394c3e9a8e6bbef0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/tracing/langsmith_client.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 118786, "scanner": "repobility-threat-engine", "fingerprint": "703e17c787d71b843e4189f03cc2de342f8a62b2a73bec10b29bc34c1fed35bf", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|703e17c787d71b843e4189f03cc2de342f8a62b2a73bec10b29bc34c1fed35bf", "aggregated_count": 4}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 118785, "scanner": "repobility-threat-engine", "fingerprint": "a9c6549f748cb6fc4995f72d123bc4846447ea8a53700f78403a0523d9acede2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a9c6549f748cb6fc4995f72d123bc4846447ea8a53700f78403a0523d9acede2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/mcp/quota.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 118784, "scanner": "repobility-threat-engine", "fingerprint": "335bc18b53f814dea71c5799d80f6d3e5404f4539c77985b8b7392179916dee2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|335bc18b53f814dea71c5799d80f6d3e5404f4539c77985b8b7392179916dee2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/logging/context.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 118783, "scanner": "repobility-threat-engine", "fingerprint": "7fe2cb5321fdeb78c05e8f58be1bcdd1021864893c715af8861ae3a16538ee29", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7fe2cb5321fdeb78c05e8f58be1bcdd1021864893c715af8861ae3a16538ee29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/github_client.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 118782, "scanner": "repobility-threat-engine", "fingerprint": "6953b78e76c6d121ff484c16f58987314f635b663213687459a39660bbc64b7e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6953b78e76c6d121ff484c16f58987314f635b663213687459a39660bbc64b7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/backend/protocol_compat.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 118781, "scanner": "repobility-threat-engine", "fingerprint": "69097d97b6ea18e71e407d606483bfdb1ff28f18d4ae98aa6880247266008da3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|69097d97b6ea18e71e407d606483bfdb1ff28f18d4ae98aa6880247266008da3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/agent/events/debug_logger.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 118774, "scanner": "repobility-threat-engine", "fingerprint": "a2abe045ac3414d6e050e7854296ed4755cc8eec69d501e00ba7567ec4fe3461", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a2abe045ac3414d6e050e7854296ed4755cc8eec69d501e00ba7567ec4fe3461"}}}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 118770, "scanner": "repobility-threat-engine", "fingerprint": "4902e39192aab29cef8978fad2731e6450936b5f9f7a0e3e1c57b7cf8cd630d6", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4902e39192aab29cef8978fad2731e6450936b5f9f7a0e3e1c57b7cf8cd630d6"}}}, {"ruleId": "SEC136", "level": "none", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 118766, "scanner": "repobility-threat-engine", "fingerprint": "3e91effa6ae3ec49c0d9feba9b6f4fe12d5d9bf819a8baf1235d2a70eff42271", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3e91effa6ae3ec49c0d9feba9b6f4fe12d5d9bf819a8baf1235d2a70eff42271"}}}, {"ruleId": "SEC034", "level": "none", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 118762, "scanner": "repobility-threat-engine", "fingerprint": "2e8c6bb0279e648bb4b664ac189ae731fb1ba325c090e25889a5db3aaed8fabd", "category": "log_injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2e8c6bb0279e648bb4b664ac189ae731fb1ba325c090e25889a5db3aaed8fabd"}}}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 118758, "scanner": "repobility-threat-engine", "fingerprint": "2e04db952e410390db8aefd2d38d416e500169f6e7c6273b19b86df1d3593bde", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2e04db952e410390db8aefd2d38d416e500169f6e7c6273b19b86df1d3593bde", "aggregated_count": 27}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 48 more): Same pattern found in 48 additional files. Review if needed."}, "properties": {"repobilityId": 118754, "scanner": "repobility-threat-engine", "fingerprint": "4857e130881cb7ba35b895638c49a0fe89791d62e0d82f2bb89fea9438932246", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 48 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4857e130881cb7ba35b895638c49a0fe89791d62e0d82f2bb89fea9438932246", "aggregated_count": 48}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 118753, "scanner": "repobility-threat-engine", "fingerprint": "c9e8842df5b74015129d164219338a934a75752eb6c280576f99761f1215b148", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c9e8842df5b74015129d164219338a934a75752eb6c280576f99761f1215b148"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/search_agent/context.py"}, "region": {"startLine": 291}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 118752, "scanner": "repobility-threat-engine", "fingerprint": "d1b26f663241c4acc23e30d95eddae366a9feee2afc2d250d77fca1dec564031", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d1b26f663241c4acc23e30d95eddae366a9feee2afc2d250d77fca1dec564031"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/fast_agent/graph.py"}, "region": {"startLine": 213}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 118751, "scanner": "repobility-threat-engine", "fingerprint": "c8a0f2fbf5d95eb0f5eef1f0571d44f6529c0834435f6b12c65298dcdff08d10", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c8a0f2fbf5d95eb0f5eef1f0571d44f6529c0834435f6b12c65298dcdff08d10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/core/persona.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 138 more): Same pattern found in 138 additional files. Review if needed."}, "properties": {"repobilityId": 118750, "scanner": "repobility-threat-engine", "fingerprint": "5fcbb84ebb3b43e469a13cf15d3e538850367fa91e869a31a43efa478ffe6b46", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 138 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 6, "or": 1, "else": 1, "except": 2}, "aggregated": true, "complexity": 10, "correlation_key": "fp|5fcbb84ebb3b43e469a13cf15d3e538850367fa91e869a31a43efa478ffe6b46", "aggregated_count": 138}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 118746, "scanner": "repobility-threat-engine", "fingerprint": "5b2079dad382eafae2f36e4754bb71fe3ab657e6c3925619887a8abc90ed689e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5b2079dad382eafae2f36e4754bb71fe3ab657e6c3925619887a8abc90ed689e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/create_e2b_template.py"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 118745, "scanner": "repobility-threat-engine", "fingerprint": "5438065892b74bbcf0cf5effd5b87b900eae6efaa37494eca1424187c43f3952", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5438065892b74bbcf0cf5effd5b87b900eae6efaa37494eca1424187c43f3952"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/create_daytona_snapshot.py"}, "region": {"startLine": 193}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 118741, "scanner": "repobility-threat-engine", "fingerprint": "166f69905924f9a7c2223ad76c992e2d51c4f7a46d6cadb71caea072fb4aa070", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|frontend/src/utils/uuid.ts|9|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/utils/uuid.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 118740, "scanner": "repobility-threat-engine", "fingerprint": "deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|deede2eb215d875636a96303401dd81bf1c025789980c14394da92c4eaa2dcca", "aggregated_count": 1}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 118739, "scanner": "repobility-threat-engine", "fingerprint": "c25b7e61d4f3a1bd18ac71d8b6ae12b9284890b7c004a6cd999015bc34e4bd94", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c25b7e61d4f3a1bd18ac71d8b6ae12b9284890b7c004a6cd999015bc34e4bd94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/storage/s3/backends/minio.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 118738, "scanner": "repobility-threat-engine", "fingerprint": "c1c567753ed4a3baaf0c15ccf9d71b9c6283a7de1bc8cfb1e300aa26e203f7fa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c1c567753ed4a3baaf0c15ccf9d71b9c6283a7de1bc8cfb1e300aa26e203f7fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/storage/s3/backends/aliyun.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 118737, "scanner": "repobility-threat-engine", "fingerprint": "e6882a066952102530a0a59024ebd0b3558534ccc66d3eedb75070ce5cc4c692", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e6882a066952102530a0a59024ebd0b3558534ccc66d3eedb75070ce5cc4c692"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/services/api/config.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 118733, "scanner": "repobility-threat-engine", "fingerprint": "9e8d25cdf044e21f05d759edb50807445dd80c8182f77004760999a1422113e8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e8d25cdf044e21f05d759edb50807445dd80c8182f77004760999a1422113e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/layout/AppContent/MessageOutlinePanel.tsx"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 118732, "scanner": "repobility-threat-engine", "fingerprint": "cda95bd8513dc76476f8e1a9806e917dfbaf5e009b39382364914a6522da251d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cda95bd8513dc76476f8e1a9806e917dfbaf5e009b39382364914a6522da251d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/documents/previews/MermaidDiagram.tsx"}, "region": {"startLine": 337}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 118729, "scanner": "repobility-threat-engine", "fingerprint": "c066fdac20648ab02e6c78e05ac6d7be6049c4550b793a58bcd25dd5d0594df0", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c066fdac20648ab02e6c78e05ac6d7be6049c4550b793a58bcd25dd5d0594df0"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 118724, "scanner": "repobility-threat-engine", "fingerprint": "cab71e3e0d858a3b16cef86155b5a70720336ed5d7b2fcc3b519bb449894bd76", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|cab71e3e0d858a3b16cef86155b5a70720336ed5d7b2fcc3b519bb449894bd76"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 118720, "scanner": "repobility-threat-engine", "fingerprint": "93cbe534951178666d5b4580a210cf7d90f5919f5b43a9731fa7dd1375669009", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|93cbe534951178666d5b4580a210cf7d90f5919f5b43a9731fa7dd1375669009", "aggregated_count": 15}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 118719, "scanner": "repobility-threat-engine", "fingerprint": "80e2989044b6086505c078ba962c8318d02a11e53171904690785f0b5d4a510b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|80e2989044b6086505c078ba962c8318d02a11e53171904690785f0b5d4a510b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/GrepItem.tsx"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 118718, "scanner": "repobility-threat-engine", "fingerprint": "14ec6485d2cb0cd1838c2ed473a81302af8adbfa02c61e77001bab2e82882d24", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|14ec6485d2cb0cd1838c2ed473a81302af8adbfa02c61e77001bab2e82882d24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/GlobItem.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 118717, "scanner": "repobility-threat-engine", "fingerprint": "23b79006511ca98d8decea7ffbe03864022a9055f9f5f010567fa83320b0b92f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23b79006511ca98d8decea7ffbe03864022a9055f9f5f010567fa83320b0b92f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/TodoBlock.tsx"}, "region": {"startLine": 95}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 118716, "scanner": "repobility-threat-engine", "fingerprint": "1496843c0eed8a51734332986313792a7364ab3d042de13136eb2fd93f9e84d8", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1496843c0eed8a51734332986313792a7364ab3d042de13136eb2fd93f9e84d8"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 118712, "scanner": "repobility-threat-engine", "fingerprint": "98e6262e3b075184faf052c60b50f67bcbe7a59c78a00cb653069b8af654317c", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|98e6262e3b075184faf052c60b50f67bcbe7a59c78a00cb653069b8af654317c"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 118711, "scanner": "repobility-threat-engine", "fingerprint": "f6f09915f40c4e0615abb1b5c28fd76747bec8f968efc24d291f71cdede8614a", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.warning(f\"Failed to emit token:<redacted> event: {e}\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|32|logger.warning f failed to emit token: redacted event: e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/core/node_utils.py"}, "region": {"startLine": 326}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 118710, "scanner": "repobility-threat-engine", "fingerprint": "bba4a87c8a98bce05af19701afef996de1e944b42810307a1b147d506b9df825", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.warn(\"[WebSocket] No auth token, skipping connection\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|11|console.warn websocket no auth token skipping connection"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/useWebSocket.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 118709, "scanner": "repobility-threat-engine", "fingerprint": "e1f7743b5e90f9b7bfc67650048bfff9bad5ea23fa3565e0ab876085f35de851", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(\"No tokens found in callback URL\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|console.error no tokens found in callback url"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/auth/OAuthCallback.tsx"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 70 more): Same pattern found in 70 additional files. Review if needed."}, "properties": {"repobilityId": 118708, "scanner": "repobility-threat-engine", "fingerprint": "266cadd2c498f0e5b28fecd5df699cab14303c95e3989a69985c6fba671922d2", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 70 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 70 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|266cadd2c498f0e5b28fecd5df699cab14303c95e3989a69985c6fba671922d2"}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 118704, "scanner": "repobility-threat-engine", "fingerprint": "16a3878cc7d46aba9ee38eff3f6f5eaa135b1d3dc716e166769b3b6ecf741aa0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|16a3878cc7d46aba9ee38eff3f6f5eaa135b1d3dc716e166769b3b6ecf741aa0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src-tauri/src/lib.rs"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 118703, "scanner": "repobility-threat-engine", "fingerprint": "608d8d675ae0526fc953a53caf5c68a07518f95ee27080c50acec2df294a2cc4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|608d8d675ae0526fc953a53caf5c68a07518f95ee27080c50acec2df294a2cc4", "aggregated_count": 13}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 118702, "scanner": "repobility-threat-engine", "fingerprint": "f618dd82fe4c45c35c72109d8fde774bf9a8c686a9228b5549505ed0572752e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f618dd82fe4c45c35c72109d8fde774bf9a8c686a9228b5549505ed0572752e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/ReadFileItem.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 118701, "scanner": "repobility-threat-engine", "fingerprint": "d74cf2a129bf7bf2003f78fa8aa867b277c2cf3be5f7befd136ba20b056cdf9f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d74cf2a129bf7bf2003f78fa8aa867b277c2cf3be5f7befd136ba20b056cdf9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatInputToolbar.tsx"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 118700, "scanner": "repobility-threat-engine", "fingerprint": "f98da7e1a6ca53bc4e295a20c1c2c33cb2feb94e7796d3a5387bc761494f0563", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f98da7e1a6ca53bc4e295a20c1c2c33cb2feb94e7796d3a5387bc761494f0563"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/extract-i18n.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 118697, "scanner": "repobility-threat-engine", "fingerprint": "b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 118696, "scanner": "repobility-threat-engine", "fingerprint": "bbc8bad884e829d3295e82be365a61887af57598adc695617ab4cd7a6210a82d", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|src/infra/mcp/quota.py|161|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/mcp/quota.py"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "properties": {"repobilityId": 118693, "scanner": "repobility-threat-engine", "fingerprint": "99618db61bfa174777786564587e6ffbd7a6065eec577cae95271e5fe437835e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 34 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|99618db61bfa174777786564587e6ffbd7a6065eec577cae95271e5fe437835e", "aggregated_count": 34}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 118692, "scanner": "repobility-threat-engine", "fingerprint": "8dd0e801293a2ee9c78f560fd8353395d09579ca2502baf9212bcb1f25d486f5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8dd0e801293a2ee9c78f560fd8353395d09579ca2502baf9212bcb1f25d486f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/find-large-files.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 118691, "scanner": "repobility-threat-engine", "fingerprint": "f9351092c7d72dc01dc022fbb27c06393ad2065a5efbdea6422c924e207bffe5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f9351092c7d72dc01dc022fbb27c06393ad2065a5efbdea6422c924e207bffe5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/extract-i18n.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 118690, "scanner": "repobility-threat-engine", "fingerprint": "97b04d8256e0c53ca884a04dc2b6335208a1f6a62243371fcc85c9857986fd7a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|97b04d8256e0c53ca884a04dc2b6335208a1f6a62243371fcc85c9857986fd7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/build-packaged-frontend.mjs"}, "region": {"startLine": 7}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `turndown` is patch version(s) behind (^7.2.2 -> 7.2.4)"}, "properties": {"repobilityId": 118679, "scanner": "repobility-dependency-currency", "fingerprint": "d769084f96f05d27eac6cdc4f6971edda198ca98ebb200ffb2302d3cd0df2889", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "turndown", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.2.4", "correlation_key": "fp|d769084f96f05d27eac6cdc4f6971edda198ca98ebb200ffb2302d3cd0df2889", "current_version": "^7.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `react-virtuoso` is patch version(s) behind (^4.18.3 -> 4.18.7)"}, "properties": {"repobilityId": 118678, "scanner": "repobility-dependency-currency", "fingerprint": "c1aaa03a0d15301a1a70ee4fbc3ab3a818f1089e38d9bb802acdbe956b61c652", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-virtuoso", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.18.7", "correlation_key": "fp|c1aaa03a0d15301a1a70ee4fbc3ab3a818f1089e38d9bb802acdbe956b61c652", "current_version": "^4.18.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `react-pdf` is patch version(s) behind (^10.4.0 -> 10.4.1)"}, "properties": {"repobilityId": 118677, "scanner": "repobility-dependency-currency", "fingerprint": "27a87026d5d04b7ac47276e84cea69f566ed3d06cf2c65f8ec0d680761a033c7", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-pdf", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.4.1", "correlation_key": "fp|27a87026d5d04b7ac47276e84cea69f566ed3d06cf2c65f8ec0d680761a033c7", "current_version": "^10.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@uiw/react-codemirror` is patch version(s) behind (^4.25.8 -> 4.25.10)"}, "properties": {"repobilityId": 118670, "scanner": "repobility-dependency-currency", "fingerprint": "8d8c7075cc8bbf034726b706591ce3a9b28b5c2efc7bed49164547f2754aa1bb", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@uiw/react-codemirror", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.25.10", "correlation_key": "fp|8d8c7075cc8bbf034726b706591ce3a9b28b5c2efc7bed49164547f2754aa1bb", "current_version": "^4.25.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@excalidraw/excalidraw` is patch version(s) behind (^0.18.0 -> 0.18.1)"}, "properties": {"repobilityId": 118666, "scanner": "repobility-dependency-currency", "fingerprint": "48ecb74b4fa534b09283923d80523a137468ff463666a32eec79f7aae1d30c2b", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@excalidraw/excalidraw", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.18.1", "correlation_key": "fp|48ecb74b4fa534b09283923d80523a137468ff463666a32eec79f7aae1d30c2b", "current_version": "^0.18.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@codemirror/lang-yaml` is patch version(s) behind (^6.1.2 -> 6.1.3)"}, "properties": {"repobilityId": 118664, "scanner": "repobility-dependency-currency", "fingerprint": "f9c3fb0911a6e83013c60dc61cb7d81c53dfa0a4c62678ee97fa305f02e53100", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@codemirror/lang-yaml", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.1.3", "correlation_key": "fp|f9c3fb0911a6e83013c60dc61cb7d81c53dfa0a4c62678ee97fa305f02e53100", "current_version": "^6.1.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `vitepress` is patch version(s) behind (^1.6.3 -> 1.6.4)"}, "properties": {"repobilityId": 118663, "scanner": "repobility-dependency-currency", "fingerprint": "fa5bc378f24c6fb7d8df7f0bb7ff26b2a4a204eabacda15151391dd83cf54c5d", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "vitepress", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.6.4", "correlation_key": "fp|fa5bc378f24c6fb7d8df7f0bb7ff26b2a4a204eabacda15151391dd83cf54c5d", "current_version": "^1.6.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `turndown` is patch version(s) behind (^7.2.2 -> 7.2.4)"}, "properties": {"repobilityId": 118662, "scanner": "repobility-dependency-currency", "fingerprint": "c13b91d8e1bc4d2d8c0e5040b531915ad094285663d2fd350b20adb117e179c9", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "turndown", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.2.4", "correlation_key": "fp|c13b91d8e1bc4d2d8c0e5040b531915ad094285663d2fd350b20adb117e179c9", "current_version": "^7.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 118854, "scanner": "repobility-journey-contract", "fingerprint": "fa1ee67da17c170901a1015334056fda3ed3cc01079ddf1afa31d770b6a18c38", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|253|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/panels/UsersPanel.tsx"}, "region": {"startLine": 253}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 118853, "scanner": "repobility-journey-contract", "fingerprint": "710dc260c0523423cbaebbc0caf4eb9a3ce3a5ba917b2fc5a1fc9233a40360d4", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|frontend/src/types/auth.ts|6|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 4}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/types/auth.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /shared/{share_id}."}, "properties": {"repobilityId": 118824, "scanner": "repobility-access-control", "fingerprint": "d3abf0ba9e6c4680a6016aa9ecd69469a3d9d5c14efc9bbe4ee0cefcc8782c9c", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/shared/{share_id}", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|src/api/main.py|701|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/main.py"}, "region": {"startLine": 701}}}]}, {"ruleId": "GHSA-qjx8-664m-686j", "level": "error", "message": {"text": "js-cookie: GHSA-qjx8-664m-686j"}, "properties": {"repobilityId": 118815, "scanner": "osv-scanner", "fingerprint": "b6a964729a27af4aca2dabfe78855d09e7c52d0b76e1d0eeaa9032e7bc58fa6d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46625"], "package": "js-cookie", "rule_id": "GHSA-qjx8-664m-686j", "scanner": "osv-scanner", "correlation_key": "vuln|js-cookie|CVE-2026-46625|pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5pgg-2g8v-p4x9", "level": "error", "message": {"text": "xlsx: GHSA-5pgg-2g8v-p4x9"}, "properties": {"repobilityId": 118813, "scanner": "osv-scanner", "fingerprint": "a5329dcf2bbb0b7d28560da8cc79a714f3d51636da4d86404c8702ec3638179f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2024-22363"], "package": "xlsx", "rule_id": "GHSA-5pgg-2g8v-p4x9", "scanner": "osv-scanner", "correlation_key": "vuln|xlsx|CVE-2024-22363|frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-4r6h-8v6p-xvw6", "level": "error", "message": {"text": "xlsx: GHSA-4r6h-8v6p-xvw6"}, "properties": {"repobilityId": 118812, "scanner": "osv-scanner", "fingerprint": "187673609a3aa4bfb1c5e1511670c5bb300504adce94e1d798a2c4a1ae37f831", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-30533"], "package": "xlsx", "rule_id": "GHSA-4r6h-8v6p-xvw6", "scanner": "osv-scanner", "correlation_key": "vuln|xlsx|CVE-2023-30533|frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash-es: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 118805, "scanner": "osv-scanner", "fingerprint": "b3d88daa32f66cdb899adef9b14b0a9663ff30936b0e619780862c1b1c3f3b10", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash-es", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash-es|CVE-2026-4800|frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qjx8-664m-686j", "level": "error", "message": {"text": "js-cookie: GHSA-qjx8-664m-686j"}, "properties": {"repobilityId": 118803, "scanner": "osv-scanner", "fingerprint": "fafa15da38a71285831e2cf4f161f7ff7c32ed3ad2f9e0e28d96c918353ed172", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46625"], "package": "js-cookie", "rule_id": "GHSA-qjx8-664m-686j", "scanner": "osv-scanner", "correlation_key": "vuln|js-cookie|CVE-2026-46625|frontend/pnpm-lock.yaml"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 118793, "scanner": "repobility-docker", "fingerprint": "8613e5c965e1ff45e5149454808595fdbef367de40a398ccc939f7868db054bd", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "27017:27017", "target": "27017", "host_ip": "", "published": "27017"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mongodb", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|8613e5c965e1ff45e5149454808595fdbef367de40a398ccc939f7868db054bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 118791, "scanner": "repobility-docker", "fingerprint": "503bbf7b1f660182b80414f6a973e516923a4555894fe65642d98d986d9bd0ed", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|503bbf7b1f660182b80414f6a973e516923a4555894fe65642d98d986d9bd0ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 118787, "scanner": "repobility-threat-engine", "fingerprint": "e1887a08b75b443b114079d84a6453efac26616f1ce8a855f02530fb3739e001", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e1887a08b75b443b114079d84a6453efac26616f1ce8a855f02530fb3739e001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/tool/mcp_pool.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 118780, "scanner": "repobility-threat-engine", "fingerprint": "04568220b9c71e9cc43d4dc890088fd485924658be3c93109a5a49ebd33a178e", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": "message=f\"Update", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|src/api/routes/envvar.py|91|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/envvar.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC030", "level": "error", "message": {"text": "[SEC030] Open Redirect \u2014 user-controlled redirect target: Redirect target is taken directly from user input without validating that the destination is local to the site. Attackers craft phishing URLs that appear to come from your domain but land on attacker-controlled pages \u2014 common in OAuth callback flows, post-login redirects, and `next=` parameters. CWE-601."}, "properties": {"repobilityId": 118776, "scanner": "repobility-threat-engine", "fingerprint": "7f3d2ef2072b7a3ba51cb0d366d4809c35781bc3101da2ed5f45065bcc859f4b", "category": "open_redirect", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "RedirectResponse(\n            url=f\"{_frontend_callback", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC030", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7f3d2ef2072b7a3ba51cb0d366d4809c35781bc3101da2ed5f45065bcc859f4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/auth/oauth.py"}, "region": {"startLine": 227}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 118773, "scanner": "repobility-threat-engine", "fingerprint": "fb3bdd0bd86a584b097fdf1a7d1d203f9cddaefd23d9e8bb8cbfb332d1ed5abf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post(\"/oauth/{provider}/callback\")\nasync def oauth_callback(http_request: Request, provider:", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fb3bdd0bd86a584b097fdf1a7d1d203f9cddaefd23d9e8bb8cbfb332d1ed5abf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/auth/oauth.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 118772, "scanner": "repobility-threat-engine", "fingerprint": "192690c73f7df12d7cad75f87bfd20b1c3100121c29363894e0eeaa4d1733a47", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.post(\"/register\", response_model=RegisterResponse)\nasync def register(user_data: UserCreate,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|192690c73f7df12d7cad75f87bfd20b1c3100121c29363894e0eeaa4d1733a47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/auth/core.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 118771, "scanner": "repobility-threat-engine", "fingerprint": "4b264d28cd247dd5f5c15eb077ddb5798ca22634210d2098e63eb9fe38484aaf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@router.put(\"/global\", response_model=GlobalAgentConfigResponse)\nasync def update_global_agent_confi", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4b264d28cd247dd5f5c15eb077ddb5798ca22634210d2098e63eb9fe38484aaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/agent/config.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 118757, "scanner": "repobility-threat-engine", "fingerprint": "245e66c65e31f69b6947ffa9ebbdb97227a6ad64866f6449bc0d4af59ed63b7c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|245e66c65e31f69b6947ffa9ebbdb97227a6ad64866f6449bc0d4af59ed63b7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/team_agent/graph.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 118756, "scanner": "repobility-threat-engine", "fingerprint": "e4595722b3aa98ffb041deb2741b56eefc39831dc175d1d56e9095e5ab74f829", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4595722b3aa98ffb041deb2741b56eefc39831dc175d1d56e9095e5ab74f829"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/search_agent/graph.py"}, "region": {"startLine": 231}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 118755, "scanner": "repobility-threat-engine", "fingerprint": "3e4e729c65fd6143ad3314c3afed56146915f14a19ff257c40fe200c6e2fd279", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e4e729c65fd6143ad3314c3afed56146915f14a19ff257c40fe200c6e2fd279"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/fast_agent/graph.py"}, "region": {"startLine": 212}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `inline_image_attachments_as_data_urls` has cognitive complexity 27 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=7, except=1, for=1, if=8, nested_bonus=8, or=2."}, "properties": {"repobilityId": 118748, "scanner": "repobility-threat-engine", "fingerprint": "d481613277eac4487dfbfd1471e231a6ab1ca16f762daa97a19c9399f3741861", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 27 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "inline_image_attachments_as_data_urls", "breakdown": {"if": 8, "or": 2, "for": 1, "except": 1, "continue": 7, "nested_bonus": 8}, "complexity": 27, "correlation_key": "fp|d481613277eac4487dfbfd1471e231a6ab1ca16f762daa97a19c9399f3741861"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/agents/core/node_utils.py"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 118744, "scanner": "repobility-threat-engine", "fingerprint": "92de957f7b411cd075884e9f6bee23e0ebcd30e1b38c8db8808963b703296adc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92de957f7b411cd075884e9f6bee23e0ebcd30e1b38c8db8808963b703296adc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/create_daytona_snapshot.py"}, "region": {"startLine": 227}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 118743, "scanner": "repobility-threat-engine", "fingerprint": "12a843855a6f1a3f2d9707ff3aad53c99c9c4a62ef9fe18805651a4607698ae9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|12a843855a6f1a3f2d9707ff3aad53c99c9c4a62ef9fe18805651a4607698ae9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/create_e2b_template.py"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 118742, "scanner": "repobility-threat-engine", "fingerprint": "bf92e1475c602d68b43dbd4e8153bd0cc3d0c6ed43b9ad681993c2032bf13228", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bf92e1475c602d68b43dbd4e8153bd0cc3d0c6ed43b9ad681993c2032bf13228"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/create_daytona_snapshot.py"}, "region": {"startLine": 256}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 118731, "scanner": "repobility-threat-engine", "fingerprint": "981f1d9e9907c9bfbe81193c34533b192eb6224634028fa97f8bee3a0f9db91f", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|981f1d9e9907c9bfbe81193c34533b192eb6224634028fa97f8bee3a0f9db91f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/documents/previews/MermaidDiagram.tsx"}, "region": {"startLine": 167}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 118728, "scanner": "repobility-threat-engine", "fingerprint": "ccf843602eb0aedbfccb752bcc4a1023f0d9b62daddf2a7d941c40e81e6023b7", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n      (paragraph) => `<p>${escapeHtml(paragraph).replace(/\\n/g, \"<br />\")}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ccf843602eb0aedbfccb752bcc4a1023f0d9b62daddf2a7d941c40e81e6023b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/documents/previews/wordPreviewUtils.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 118727, "scanner": "repobility-threat-engine", "fingerprint": "4aa50072aacd9f5b759d8affe2147472e74d77f647e6803cb80699bac01be25a", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n              (slideHtml) =>\n                `<div class=\"ppt-html-preview-slide\">${normalizePp", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4aa50072aacd9f5b759d8affe2147472e74d77f647e6803cb80699bac01be25a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/documents/previews/PptPreview.tsx"}, "region": {"startLine": 204}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 118726, "scanner": "repobility-threat-engine", "fingerprint": "de87ae18a7fcb4789d3453e6b3c4330890bff7977fb4f78a138a389682c7c5d5", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([property, value]) => `${property}: ${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de87ae18a7fcb4789d3453e6b3c4330890bff7977fb4f78a138a389682c7c5d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/mermaidSvgUtils.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 118725, "scanner": "repobility-threat-engine", "fingerprint": "d8b9122f34d2694bd6affccc398a85dc082bbaf2b4fedf4532912897dcab334f", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|35|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/revealPreviewState.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 118723, "scanner": "repobility-threat-engine", "fingerprint": "806ef0433d8ac7ad0fcdd61a51ae7d2cce0d57de73fe9744e3a6a883579d01ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "current.delete(listener);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|806ef0433d8ac7ad0fcdd61a51ae7d2cce0d57de73fe9744e3a6a883579d01ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/subagentPanelStore.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 118722, "scanner": "repobility-threat-engine", "fingerprint": "9865dca13419ecaeadbff38c4679baf106c273492f9a00b252ce2b74e24fd4d2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "inflightProjectRevealFilesCache.delete(previewKey);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9865dca13419ecaeadbff38c4679baf106c273492f9a00b252ce2b74e24fd4d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/revealPreviewData.ts"}, "region": {"startLine": 299}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 118721, "scanner": "repobility-threat-engine", "fingerprint": "a5d2721e21135361f96075cff8741d560ff3f45ad12e959e7588f6cecee8d330", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "listeners.delete(listener);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a5d2721e21135361f96075cff8741d560ff3f45ad12e959e7588f6cecee8d330"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/ChatMessage/items/createSingletonStore.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 118707, "scanner": "repobility-threat-engine", "fingerprint": "8eb529725f7d06cbeaf147dd2032e7dd182c2859881d893a61aa4cf9fcbdb3c9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8eb529725f7d06cbeaf147dd2032e7dd182c2859881d893a61aa4cf9fcbdb3c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/chat/AttachmentPreview.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 118706, "scanner": "repobility-threat-engine", "fingerprint": "2ede120ceb6ff3ac61956c166cb68f4a8056b9f07d8b670a7d07a8d15fa29fcf", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2ede120ceb6ff3ac61956c166cb68f4a8056b9f07d8b670a7d07a8d15fa29fcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/agent/modelIcon.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 118705, "scanner": "repobility-threat-engine", "fingerprint": "10c67b20944498f81c4067d70bf15ce1b0382570e6f4e4bef31d3216ba7fc98d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(\n  m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|10c67b20944498f81c4067d70bf15ce1b0382570e6f4e4bef31d3216ba7fc98d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/agent/modelIcon.ts"}, "region": {"startLine": 149}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 118699, "scanner": "repobility-threat-engine", "fingerprint": "2a4297e03bb16154ede0426f43faac487f1b24c4ec7a2b27f1a684a957b07cf6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(message", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2a4297e03bb16154ede0426f43faac487f1b24c4ec7a2b27f1a684a957b07cf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/hooks/useAgent/goalCommands.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 118698, "scanner": "repobility-threat-engine", "fingerprint": "556da2ceb292f215f02c8f403a7a014011724a3f0bbe35751ba5faa4122d304d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|556da2ceb292f215f02c8f403a7a014011724a3f0bbe35751ba5faa4122d304d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/scripts/extract-i18n.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `frontend/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 118659, "scanner": "repobility-supply-chain", "fingerprint": "5ee9fa0f1c71b7183102c717a211602e383cbde80acc29b3ffbc3b6c5ef47267", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ee9fa0f1c71b7183102c717a211602e383cbde80acc29b3ffbc3b6c5ef47267"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/android/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118658, "scanner": "repobility-supply-chain", "fingerprint": "dc3ac56d84020df57bdf405b3011a0423e220626a6404eb21782827231da984f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc3ac56d84020df57bdf405b3011a0423e220626a6404eb21782827231da984f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118657, "scanner": "repobility-supply-chain", "fingerprint": "c7bb1552d4790cb64db61546aa704a9949220a57a60fc6e69fc0a2c338e3cd87", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c7bb1552d4790cb64db61546aa704a9949220a57a60fc6e69fc0a2c338e3cd87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118656, "scanner": "repobility-supply-chain", "fingerprint": "1f4d33fd496d403255ffde68f3d756ba512e52cad7fafce340001833025c7c40", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1f4d33fd496d403255ffde68f3d756ba512e52cad7fafce340001833025c7c40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118655, "scanner": "repobility-supply-chain", "fingerprint": "76da64071328b75b5ca8dddca9e1c1a13ef475f572a0b95fae7212b1cb80ad66", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76da64071328b75b5ca8dddca9e1c1a13ef475f572a0b95fae7212b1cb80ad66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118654, "scanner": "repobility-supply-chain", "fingerprint": "5b5d8f3b33b46b99fbf008027413a41a74085d635f6afa633f06df7b43a45de2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b5d8f3b33b46b99fbf008027413a41a74085d635f6afa633f06df7b43a45de2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118653, "scanner": "repobility-supply-chain", "fingerprint": "12d66abbd79b1c5554f6073146ae245d1daedf74d678972b414fd67f2f8a25d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12d66abbd79b1c5554f6073146ae245d1daedf74d678972b414fd67f2f8a25d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118652, "scanner": "repobility-supply-chain", "fingerprint": "5054d512f2b1ea4df14cd4b80c28f6583cbc326a58f09a51d64faf7fd29190a8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5054d512f2b1ea4df14cd4b80c28f6583cbc326a58f09a51d64faf7fd29190a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118651, "scanner": "repobility-supply-chain", "fingerprint": "3ab29dfc69f205861143fa4604803e544ab88129d583061c6310cb60ed98ca89", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ab29dfc69f205861143fa4604803e544ab88129d583061c6310cb60ed98ca89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118650, "scanner": "repobility-supply-chain", "fingerprint": "1d3b19154dd19683313e1b256e047b08afa0e36cad255946dbc84d52e0427a74", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1d3b19154dd19683313e1b256e047b08afa0e36cad255946dbc84d52e0427a74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 118649, "scanner": "repobility-supply-chain", "fingerprint": "99f7abd8ff5188f4e9b56b19667310caeb2075dd795333e9169fa76d178ca481", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99f7abd8ff5188f4e9b56b19667310caeb2075dd795333e9169fa76d178ca481"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118648, "scanner": "repobility-supply-chain", "fingerprint": "5198abd8dc44b09a2f31110f53859c88ecae333432afe9a98adbc93b95254af3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5198abd8dc44b09a2f31110f53859c88ecae333432afe9a98adbc93b95254af3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 293}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118647, "scanner": "repobility-supply-chain", "fingerprint": "439866e67bcbc709f5e37f6a90f50d06efc85338e95ffff1a1dbe824375a02bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|439866e67bcbc709f5e37f6a90f50d06efc85338e95ffff1a1dbe824375a02bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 253}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118646, "scanner": "repobility-supply-chain", "fingerprint": "471d1df26ad60d9686e10c3da9b4e8227a4a1aedced028020df0be9a3583586a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|471d1df26ad60d9686e10c3da9b4e8227a4a1aedced028020df0be9a3583586a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 248}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118645, "scanner": "repobility-supply-chain", "fingerprint": "23d6f3a94344fc057bfe5c8a11327adbfd778d095c451d605a96db5e33b76639", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|23d6f3a94344fc057bfe5c8a11327adbfd778d095c451d605a96db5e33b76639"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 236}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118644, "scanner": "repobility-supply-chain", "fingerprint": "4f9340a0eaef8a318dc2bd8634af8c3dbc8bebf21438e77ef07f040ba0540d52", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f9340a0eaef8a318dc2bd8634af8c3dbc8bebf21438e77ef07f040ba0540d52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `android-actions/setup-android` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 118643, "scanner": "repobility-supply-chain", "fingerprint": "d6e728c3ae68fbbe5b5f5faca91ab27d9475e5daf12403945ae2e1f8eb243fe2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d6e728c3ae68fbbe5b5f5faca91ab27d9475e5daf12403945ae2e1f8eb243fe2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118642, "scanner": "repobility-supply-chain", "fingerprint": "e305c34e85255d0cf5acf436085fe4caab22dbe11d28d36ff1f83cd848b882c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e305c34e85255d0cf5acf436085fe4caab22dbe11d28d36ff1f83cd848b882c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118641, "scanner": "repobility-supply-chain", "fingerprint": "2faee525a7c1bd57f0f994eea8e5cf08f58d3b5e66bc78499d3c5e90299c8caa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2faee525a7c1bd57f0f994eea8e5cf08f58d3b5e66bc78499d3c5e90299c8caa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118640, "scanner": "repobility-supply-chain", "fingerprint": "e6c263e253407486c43069527804b9ae29fd0d0ab605eaecdb5fba6f430d4dca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6c263e253407486c43069527804b9ae29fd0d0ab605eaecdb5fba6f430d4dca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118639, "scanner": "repobility-supply-chain", "fingerprint": "ef1d68d25353c5a54799b2681507623bbbf0701660610f8b7988db94ff8dbfee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef1d68d25353c5a54799b2681507623bbbf0701660610f8b7988db94ff8dbfee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118638, "scanner": "repobility-supply-chain", "fingerprint": "07bb83be63f583c1ed82d6b8f9c142e49d0436984f01353497468b1736ea91b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07bb83be63f583c1ed82d6b8f9c142e49d0436984f01353497468b1736ea91b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`"}, "properties": {"repobilityId": 118637, "scanner": "repobility-supply-chain", "fingerprint": "402f483f039223022ecaddaff36cd46d33ae9633d856fa342c9bb9783550387a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|402f483f039223022ecaddaff36cd46d33ae9633d856fa342c9bb9783550387a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118636, "scanner": "repobility-supply-chain", "fingerprint": "4c76f9830bd6d7245915a282d9a43ff6298f7e9fe3a198c4d9b43c72bba3680a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c76f9830bd6d7245915a282d9a43ff6298f7e9fe3a198c4d9b43c72bba3680a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118635, "scanner": "repobility-supply-chain", "fingerprint": "5e28fa1a19cec450c4b24e0c4efa188a4ab56caf10f7bc8f79fc63557488da16", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e28fa1a19cec450c4b24e0c4efa188a4ab56caf10f7bc8f79fc63557488da16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 118634, "scanner": "repobility-supply-chain", "fingerprint": "ea51a93117f543b5b450da8e0029886674bf9ea438a500e2dae56cff9a99fec4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea51a93117f543b5b450da8e0029886674bf9ea438a500e2dae56cff9a99fec4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/app-release.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v5.0.0`"}, "properties": {"repobilityId": 118633, "scanner": "repobility-supply-chain", "fingerprint": "09e7034cce1b32219b4c4a4fc3ee6322c11685ec01d81f9870ca75359a8b8b8f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|09e7034cce1b32219b4c4a4fc3ee6322c11685ec01d81f9870ca75359a8b8b8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pre-commit/mirrors-prettier` pinned to mutable rev `v3.1.0`"}, "properties": {"repobilityId": 118632, "scanner": "repobility-supply-chain", "fingerprint": "7e16267fc4b817b7eed3eddce5aace79e8791963b235a35713f8a5f6fd60de3b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e16267fc4b817b7eed3eddce5aace79e8791963b235a35713f8a5f6fd60de3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.9.10`"}, "properties": {"repobilityId": 118631, "scanner": "repobility-supply-chain", "fingerprint": "8b4544f18621c2be6205aecb55869712adfb986653eebbde44e25b0d4e0f72b5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8b4544f18621c2be6205aecb55869712adfb986653eebbde44e25b0d4e0f72b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.12-slim` not pinned by digest"}, "properties": {"repobilityId": 118630, "scanner": "repobility-supply-chain", "fingerprint": "60d454c0627346f177e205c1ef409ab0cda8cc0a0e661761bea810312f3076d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|60d454c0627346f177e205c1ef409ab0cda8cc0a0e661761bea810312f3076d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:20-alpine` not pinned by digest"}, "properties": {"repobilityId": 118629, "scanner": "repobility-supply-chain", "fingerprint": "86b04f7931493d9638cb2eda4e1976d754444bdfa44cbfed7c198a3e34e2453f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86b04f7931493d9638cb2eda4e1976d754444bdfa44cbfed7c198a3e34e2453f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /oauth/{provider}/callback has no auth"}, "properties": {"repobilityId": 118628, "scanner": "repobility-route-auth", "fingerprint": "c1cb31f43b4468302252b0e39dc1e21e9ed86bbb7876136980cc809816021afb", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c1cb31f43b4468302252b0e39dc1e21e9ed86bbb7876136980cc809816021afb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/auth/oauth.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /refresh has no auth"}, "properties": {"repobilityId": 118627, "scanner": "repobility-route-auth", "fingerprint": "121d0a948b81ca6921cef8a6bbf375d11465265ace3f72def9cbccd8a11e481f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|121d0a948b81ca6921cef8a6bbf375d11465265ace3f72def9cbccd8a11e481f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/auth/core.py"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /login has no auth"}, "properties": {"repobilityId": 118626, "scanner": "repobility-route-auth", "fingerprint": "a95fd878b425ddc879f9b7f133e4d7fa09f49d42d4e29245350f0cadbbde94ec", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|a95fd878b425ddc879f9b7f133e4d7fa09f49d42d4e29245350f0cadbbde94ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/auth/core.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /register has no auth"}, "properties": {"repobilityId": 118625, "scanner": "repobility-route-auth", "fingerprint": "ccb84f1a49b232024c55b696fef2b155ec20d9f983e360b58e3661ac5b91baaa", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|ccb84f1a49b232024c55b696fef2b155ec20d9f983e360b58e3661ac5b91baaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/auth/core.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /resend-verification has no auth"}, "properties": {"repobilityId": 118624, "scanner": "repobility-route-auth", "fingerprint": "fe717cf7af4b36727c5159af3862e12e2facdc0e63dd87f59dffe3ac68325071", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|fe717cf7af4b36727c5159af3862e12e2facdc0e63dd87f59dffe3ac68325071"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/auth/verification.py"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /verify-email has no auth"}, "properties": {"repobilityId": 118623, "scanner": "repobility-route-auth", "fingerprint": "7bfef5c8e3d74d0ec1b94cfe7711f491a2d80883dcaadf337eda30a9fef63f0e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|7bfef5c8e3d74d0ec1b94cfe7711f491a2d80883dcaadf337eda30a9fef63f0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/auth/verification.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /reset-password has no auth"}, "properties": {"repobilityId": 118622, "scanner": "repobility-route-auth", "fingerprint": "c6ac62e2ce4d70668a63043810c27d7285b24e73ab5c84831f44443a4821261a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c6ac62e2ce4d70668a63043810c27d7285b24e73ab5c84831f44443a4821261a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/auth/verification.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /forgot-password has no auth"}, "properties": {"repobilityId": 118621, "scanner": "repobility-route-auth", "fingerprint": "c48c8171e4257f7c4443f3058e4f29c15113953d038548b39f05c2428fdf0a6c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c48c8171e4257f7c4443f3058e4f29c15113953d038548b39f05c2428fdf0a6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/auth/verification.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI DELETE /{approval_id} has no auth"}, "properties": {"repobilityId": 118620, "scanner": "repobility-route-auth", "fingerprint": "379663c095371661fdc7735ed0fbb6f2d6bf504736e56fb2811f46a2313fb630", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|379663c095371661fdc7735ed0fbb6f2d6bf504736e56fb2811f46a2313fb630"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/human.py"}, "region": {"startLine": 320}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /{approval_id}/extend has no auth"}, "properties": {"repobilityId": 118619, "scanner": "repobility-route-auth", "fingerprint": "c5c6d824a1d785f796babb2c647981ad9d6f364cbc8a8b54275400b471b3c6c7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|c5c6d824a1d785f796babb2c647981ad9d6f364cbc8a8b54275400b471b3c6c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/human.py"}, "region": {"startLine": 287}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /{approval_id}/respond has no auth"}, "properties": {"repobilityId": 118618, "scanner": "repobility-route-auth", "fingerprint": "48b6e1564ef446a5d78be33e4d67eca91182888203f0e5b904be090479c7b32b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|48b6e1564ef446a5d78be33e4d67eca91182888203f0e5b904be090479c7b32b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/human.py"}, "region": {"startLine": 246}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI DELETE /feishu/registrations/{session_id} has no auth"}, "properties": {"repobilityId": 118617, "scanner": "repobility-route-auth", "fingerprint": "1bd67cb3673e3230c849b6d80371762d5f3e66dea36cbfb777397665a922b685", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|1bd67cb3673e3230c849b6d80371762d5f3e66dea36cbfb777397665a922b685"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/channels.py"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /feishu/registrations has no auth"}, "properties": {"repobilityId": 118616, "scanner": "repobility-route-auth", "fingerprint": "edf8742747b27d5e649e5d46c2f1324a5ddc19b9182e5d8cb39b8f277f2e807d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|edf8742747b27d5e649e5d46c2f1324a5ddc19b9182e5d8cb39b8f277f2e807d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/routes/channels.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /upload/file has no auth"}, "properties": {"repobilityId": 118615, "scanner": "repobility-route-auth", "fingerprint": "27e476de828167f73ba3c62efaf884929d6a9016c1128d6117bab817dbddb610", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|27e476de828167f73ba3c62efaf884929d6a9016c1128d6117bab817dbddb610"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/test_request_body_limit.py"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /json has no auth"}, "properties": {"repobilityId": 118614, "scanner": "repobility-route-auth", "fingerprint": "4051db98fe997de8ebdf899e79b6e51f35690734f6ee6338d98b148eec86bb8e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|4051db98fe997de8ebdf899e79b6e51f35690734f6ee6338d98b148eec86bb8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/test_request_body_limit.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_validate_agent_model_access_rejects_when_role_allows_no_models"}, "properties": {"repobilityId": 118586, "scanner": "repobility-ast-engine", "fingerprint": "dda86a8340ac5d6bc1c0c2d3a79c26d093dbd5ac06bf91469f20c8b8e4dcdc85", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dda86a8340ac5d6bc1c0c2d3a79c26d093dbd5ac06bf91469f20c8b8e4dcdc85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/routes/test_chat_model_access.py"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_validate_agent_model_access_rejects_model_id_outside_user_roles"}, "properties": {"repobilityId": 118585, "scanner": "repobility-ast-engine", "fingerprint": "b6be1bbd84cf1f1bfab75275010dd0029331b05e55ca4a3daae26db4c4e87bc4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b6be1bbd84cf1f1bfab75275010dd0029331b05e55ca4a3daae26db4c4e87bc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/routes/test_chat_model_access.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_validate_team_agent_request_ignores_other_agents"}, "properties": {"repobilityId": 118584, "scanner": "repobility-ast-engine", "fingerprint": "a7d56fd39b85fae2118d420d25cc2c953010fbad38c54e39e6b8b182effcba29", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a7d56fd39b85fae2118d420d25cc2c953010fbad38c54e39e6b8b182effcba29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/routes/test_chat_team_validation.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_validate_team_agent_request_allows_team_id"}, "properties": {"repobilityId": 118583, "scanner": "repobility-ast-engine", "fingerprint": "e41ed09ba2dbe11123c8888e1b20a172a29d27ac2c7a7b8de674087a298768a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e41ed09ba2dbe11123c8888e1b20a172a29d27ac2c7a7b8de674087a298768a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/routes/test_chat_team_validation.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_validate_team_agent_request_allows_missing_team_id_for_fallback"}, "properties": {"repobilityId": 118582, "scanner": "repobility-ast-engine", "fingerprint": "6aa8a176bdcf5e74e3f4cd693f7b1ada9506edf84c136cfecc0d40664a23897f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6aa8a176bdcf5e74e3f4cd693f7b1ada9506edf84c136cfecc0d40664a23897f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/routes/test_chat_team_validation.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_signed_url_request_rejects_too_many_keys"}, "properties": {"repobilityId": 118580, "scanner": "repobility-ast-engine", "fingerprint": "f252341e2859852da4ef42a358ae72ab8e6fd97094fa7db445c1a9fc47d12d25", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f252341e2859852da4ef42a358ae72ab8e6fd97094fa7db445c1a9fc47d12d25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/routes/test_upload_memory_limits.py"}, "region": {"startLine": 271}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_get_team_raises_not_found"}, "properties": {"repobilityId": 118579, "scanner": "repobility-ast-engine", "fingerprint": "41b22fdd70bbee8724d77997ab7b32e0a6f2a23ed4480f9150eb9168fee215f4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|41b22fdd70bbee8724d77997ab7b32e0a6f2a23ed4480f9150eb9168fee215f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/infra/test_team_manager.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_team_create_rejects_too_many_members"}, "properties": {"repobilityId": 118578, "scanner": "repobility-ast-engine", "fingerprint": "c5f0a97e7b069f7f4284095cb8d9b77c57b5308007bf5c737b858a8102c5facf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c5f0a97e7b069f7f4284095cb8d9b77c57b5308007bf5c737b858a8102c5facf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/test_team_routes.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_fetch_all_files_recursive_rejects_known_total_oversize_before_fetching_content"}, "properties": {"repobilityId": 118577, "scanner": "repobility-ast-engine", "fingerprint": "c63f56b264b060070ff24312da30c263c939170424dfb2905a3353c06860057b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c63f56b264b060070ff24312da30c263c939170424dfb2905a3353c06860057b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/test_github_routes.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_fetch_all_files_recursive_rejects_known_oversize_before_fetching_content"}, "properties": {"repobilityId": 118576, "scanner": "repobility-ast-engine", "fingerprint": "7c553c2e56002ee239940ac32c390dc4543573f252865420b7e25a5ce7e2c6ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7c553c2e56002ee239940ac32c390dc4543573f252865420b7e25a5ce7e2c6ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/test_github_routes.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_fetch_all_files_recursive_rejects_too_many_files_before_fetching_content"}, "properties": {"repobilityId": 118575, "scanner": "repobility-ast-engine", "fingerprint": "1e4c33c8dabbf7c81f6a1f6a4e3210a440f78e78b19c65f87408115873f515c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1e4c33c8dabbf7c81f6a1f6a4e3210a440f78e78b19c65f87408115873f515c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/test_github_routes.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_parse_zip_skills_rejects_too_many_members_before_reading_files"}, "properties": {"repobilityId": 118574, "scanner": "repobility-ast-engine", "fingerprint": "6f98f95b941d90d5fd142ba364ec8e91c9ca8f35e1236206d081f657e7522dd3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6f98f95b941d90d5fd142ba364ec8e91c9ca8f35e1236206d081f657e7522dd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/test_skill_routes.py"}, "region": {"startLine": 401}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_parse_zip_skills_rejects_oversized_single_member_before_read"}, "properties": {"repobilityId": 118573, "scanner": "repobility-ast-engine", "fingerprint": "5878ebe9b39e1aa2c1b4d7bcc1978d0341fb1ed67b2fadd07478df8226ece17d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5878ebe9b39e1aa2c1b4d7bcc1978d0341fb1ed67b2fadd07478df8226ece17d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/test_skill_routes.py"}, "region": {"startLine": 386}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_parse_zip_skills_rejects_oversized_uncompressed_content"}, "properties": {"repobilityId": 118572, "scanner": "repobility-ast-engine", "fingerprint": "1d20a69eebdb6177eedcb5c36919601ef6dc58906cc8cd2041733151e4533b92", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1d20a69eebdb6177eedcb5c36919601ef6dc58906cc8cd2041733151e4533b92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/test_skill_routes.py"}, "region": {"startLine": 373}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.start_calls` used but never assigned in __init__"}, "properties": {"repobilityId": 118571, "scanner": "repobility-ast-engine", "fingerprint": "956e9d1c6da5179c27115d8930e206ce7d81b76e3e72622a11b8a63a7b256329", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|956e9d1c6da5179c27115d8930e206ce7d81b76e3e72622a11b8a63a7b256329"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_runtime_services.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._iter` used but never assigned in __init__"}, "properties": {"repobilityId": 118570, "scanner": "repobility-ast-engine", "fingerprint": "f3973a3a5b4b5ecd0375958c2dff97971f0075ffbe9b370de1f976d356f713e0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f3973a3a5b4b5ecd0375958c2dff97971f0075ffbe9b370de1f976d356f713e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_notification_storage.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._iter` used but never assigned in __init__"}, "properties": {"repobilityId": 118569, "scanner": "repobility-ast-engine", "fingerprint": "a372f7c82d7f8df707bfe685f08a3d3e40f5d4fea64e1f4632d371de1e461bb7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a372f7c82d7f8df707bfe685f08a3d3e40f5d4fea64e1f4632d371de1e461bb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_notification_storage.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._iter` used but never assigned in __init__"}, "properties": {"repobilityId": 118568, "scanner": "repobility-ast-engine", "fingerprint": "09ff92abc7e45cb90793b41679b7ef00968a2e9437916becae4fa4f5cc57b8b2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|09ff92abc7e45cb90793b41679b7ef00968a2e9437916becae4fa4f5cc57b8b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_notification_storage.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._iter` used but never assigned in __init__"}, "properties": {"repobilityId": 118567, "scanner": "repobility-ast-engine", "fingerprint": "6fd559ddcc33884a1fa05a6c530f23ad1ca7d0475762df665f4a776479781b49", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6fd559ddcc33884a1fa05a6c530f23ad1ca7d0475762df665f4a776479781b49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_notification_storage.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_run_blocking_io_keeps_slot_until_timed_out_call_finishes`"}, "properties": {"repobilityId": 118566, "scanner": "repobility-ast-engine", "fingerprint": "7ec48524dc2a9cbe33307faa21bf0cd16eb913dc39ef00ec8adc92344515da7b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7ec48524dc2a9cbe33307faa21bf0cd16eb913dc39ef00ec8adc92344515da7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_blocking_io.py"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_run_blocking_io_applies_timeout`"}, "properties": {"repobilityId": 118565, "scanner": "repobility-ast-engine", "fingerprint": "fb0c64a6b0d31c1c7d424887d79df918db9a81d29309d60610284fe8b10196b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fb0c64a6b0d31c1c7d424887d79df918db9a81d29309d60610284fe8b10196b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_blocking_io.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_run_blocking_io_applies_timeout"}, "properties": {"repobilityId": 118564, "scanner": "repobility-ast-engine", "fingerprint": "02d184bb0db6a6b7267d4235f9cc9b5cba546de6607162e06ac978dfc108449f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|02d184bb0db6a6b7267d4235f9cc9b5cba546de6607162e06ac978dfc108449f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_blocking_io.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._iter` used but never assigned in __init__"}, "properties": {"repobilityId": 118563, "scanner": "repobility-ast-engine", "fingerprint": "e76f6bbc81402271ad237eab2abde8013e9214b36f396cf1dfa3ff908c2e61e3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e76f6bbc81402271ad237eab2abde8013e9214b36f396cf1dfa3ff908c2e61e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_user_storage_limits.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._iter` used but never assigned in __init__"}, "properties": {"repobilityId": 118562, "scanner": "repobility-ast-engine", "fingerprint": "4f6765d1fe0b455a059bbede2926ee01668f7773b27f36837bf1300ee8e8f314", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4f6765d1fe0b455a059bbede2926ee01668f7773b27f36837bf1300ee8e8f314"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_user_storage_limits.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._iter` used but never assigned in __init__"}, "properties": {"repobilityId": 118561, "scanner": "repobility-ast-engine", "fingerprint": "742373dfb47981a77d598fb089be6dbc2b79dbfcbc38eb920330a603657c891d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|742373dfb47981a77d598fb089be6dbc2b79dbfcbc38eb920330a603657c891d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_role_storage.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._iter` used but never assigned in __init__"}, "properties": {"repobilityId": 118560, "scanner": "repobility-ast-engine", "fingerprint": "6e0b2daff57f7ed42684cc50be95dd631014b63e1eb18f77b616dba93a4bcb01", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6e0b2daff57f7ed42684cc50be95dd631014b63e1eb18f77b616dba93a4bcb01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_role_storage.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_default_backend_download_stream_requires_streaming_override"}, "properties": {"repobilityId": 118559, "scanner": "repobility-ast-engine", "fingerprint": "23ea7400ed90ee4de2397146816411b07d0bd98740e98117c4d648d23df7ed0a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|23ea7400ed90ee4de2397146816411b07d0bd98740e98117c4d648d23df7ed0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_s3_storage_service.py"}, "region": {"startLine": 606}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_default_backend_get_size_requires_efficient_stat"}, "properties": {"repobilityId": 118558, "scanner": "repobility-ast-engine", "fingerprint": "c6cb988dcfc7f33e11169b959a3969a06a426dbb79eb0ed0427dabba15c17e68", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c6cb988dcfc7f33e11169b959a3969a06a426dbb79eb0ed0427dabba15c17e68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_s3_storage_service.py"}, "region": {"startLine": 572}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_local_storage_download_range_rejects_large_range_before_open"}, "properties": {"repobilityId": 118557, "scanner": "repobility-ast-engine", "fingerprint": "08e7c4adcfcf8a6a86f5579cb557298b2bbf09bd5ae004f27a53e1767e9880fe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|08e7c4adcfcf8a6a86f5579cb557298b2bbf09bd5ae004f27a53e1767e9880fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_s3_storage_service.py"}, "region": {"startLine": 332}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_local_storage_download_rejects_large_file_before_open"}, "properties": {"repobilityId": 118556, "scanner": "repobility-ast-engine", "fingerprint": "bbfa9c950d9a4a9ee7de3b3acd9423a128e40fa88f40140ea155794fa456b66b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bbfa9c950d9a4a9ee7de3b3acd9423a128e40fa88f40140ea155794fa456b66b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_s3_storage_service.py"}, "region": {"startLine": 304}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.values` used but never assigned in __init__"}, "properties": {"repobilityId": 118555, "scanner": "repobility-ast-engine", "fingerprint": "1a21ff0414c4ccd223bf02dfdaf3400f60c54406cd1deb0e23c7d4d9de109cb2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1a21ff0414c4ccd223bf02dfdaf3400f60c54406cd1deb0e23c7d4d9de109cb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_feishu_manager_leases.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.delete` used but never assigned in __init__"}, "properties": {"repobilityId": 118554, "scanner": "repobility-ast-engine", "fingerprint": "d634e68e55c9f767e696f0de332858f15d6a106eb148c17055bc3e6f74699fff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d634e68e55c9f767e696f0de332858f15d6a106eb148c17055bc3e6f74699fff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_feishu_manager_leases.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_start_returns_without_waiting_for_initial_baseline`"}, "properties": {"repobilityId": 118553, "scanner": "repobility-ast-engine", "fingerprint": "51f3035caa093b358eddce2ba8adc31fc0632a2422abbea793e7f118b8607afc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|51f3035caa093b358eddce2ba8adc31fc0632a2422abbea793e7f118b8607afc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_memory_monitor.py"}, "region": {"startLine": 934}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_start_returns_without_waiting_for_initial_baseline"}, "properties": {"repobilityId": 118552, "scanner": "repobility-ast-engine", "fingerprint": "de521bf2af7f8efa40e30b05eaf1196b0bcad7ae7cca6843e5be5ee4f9d75580", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de521bf2af7f8efa40e30b05eaf1196b0bcad7ae7cca6843e5be5ee4f9d75580"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_memory_monitor.py"}, "region": {"startLine": 924}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `time.sleep` inside async function `test_event_loop_lag_monitor_logs_when_lag_exceeds_threshold`"}, "properties": {"repobilityId": 118551, "scanner": "repobility-ast-engine", "fingerprint": "7be44e60f3df5cd09d4dfea46973c6dac5a38ac181257dddf7cb39ceb92241ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7be44e60f3df5cd09d4dfea46973c6dac5a38ac181257dddf7cb39ceb92241ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_event_loop_lag_monitor.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.values` used but never assigned in __init__"}, "properties": {"repobilityId": 118550, "scanner": "repobility-ast-engine", "fingerprint": "4f007d9d9d5df470ebb9f3ec99a5fb485732612a85a97c41cb09cd1b80ea1fd2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4f007d9d9d5df470ebb9f3ec99a5fb485732612a85a97c41cb09cd1b80ea1fd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_distributed_memory_health.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.find_one` used but never assigned in __init__"}, "properties": {"repobilityId": 118549, "scanner": "repobility-ast-engine", "fingerprint": "b32ce98acd87494b64cae143217925acf8444129908e33bb86c2f8f69dee2b1c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b32ce98acd87494b64cae143217925acf8444129908e33bb86c2f8f69dee2b1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_feishu_storage.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._iter` used but never assigned in __init__"}, "properties": {"repobilityId": 118548, "scanner": "repobility-ast-engine", "fingerprint": "6e38e5cb2f36e7e5d3f690fafbef2423c85bd4f25385ea253cce1bb8ebb4f240", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6e38e5cb2f36e7e5d3f690fafbef2423c85bd4f25385ea253cce1bb8ebb4f240"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_feedback_storage_limits.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._iter` used but never assigned in __init__"}, "properties": {"repobilityId": 118547, "scanner": "repobility-ast-engine", "fingerprint": "a6ccd722d26a2cd092b304e104287c9ea74db02023b5aee60233b92f943f109c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a6ccd722d26a2cd092b304e104287c9ea74db02023b5aee60233b92f943f109c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_feedback_storage_limits.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._iter` used but never assigned in __init__"}, "properties": {"repobilityId": 118546, "scanner": "repobility-ast-engine", "fingerprint": "62266c2f68fe33c9215693e49d14aedc08e55f18f41ff113603c1825d65bcd73", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|62266c2f68fe33c9215693e49d14aedc08e55f18f41ff113603c1825d65bcd73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_mongodb_storage.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._iter` used but never assigned in __init__"}, "properties": {"repobilityId": 118545, "scanner": "repobility-ast-engine", "fingerprint": "5355abf08ab3ba038e39788dec36ebf86deb5aae0a0d2743008b8b8a1a30cf8c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5355abf08ab3ba038e39788dec36ebf86deb5aae0a0d2743008b8b8a1a30cf8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_mongodb_storage.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.values` used but never assigned in __init__"}, "properties": {"repobilityId": 118544, "scanner": "repobility-ast-engine", "fingerprint": "b4f440a33214267111a5236965977c41ad74c8d6a1b88cc1a6a7fffcfd611fd8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b4f440a33214267111a5236965977c41ad74c8d6a1b88cc1a6a7fffcfd611fd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_websocket_manager.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.values` used but never assigned in __init__"}, "properties": {"repobilityId": 118543, "scanner": "repobility-ast-engine", "fingerprint": "f680ed31deb446bb6c1a0663092563b3adf92833c76011ce8072ae786885a386", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f680ed31deb446bb6c1a0663092563b3adf92833c76011ce8072ae786885a386"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_websocket_manager.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.values` used but never assigned in __init__"}, "properties": {"repobilityId": 118542, "scanner": "repobility-ast-engine", "fingerprint": "837086b81c94ff1cfc8bccc119397a9273f92f972615478151a3a804a650d614", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|837086b81c94ff1cfc8bccc119397a9273f92f972615478151a3a804a650d614"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_websocket_manager.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.values` used but never assigned in __init__"}, "properties": {"repobilityId": 118541, "scanner": "repobility-ast-engine", "fingerprint": "0c1dbd961f0c5f6db1985afc49113939de08bb7b1003cc82fd8c1e8a4631ac93", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c1dbd961f0c5f6db1985afc49113939de08bb7b1003cc82fd8c1e8a4631ac93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_websocket_manager.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.keys` used but never assigned in __init__"}, "properties": {"repobilityId": 118540, "scanner": "repobility-ast-engine", "fingerprint": "7b07c78970b08ec4b68d516672e5bd49ade13d46c944a459c0c7011d298884a5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7b07c78970b08ec4b68d516672e5bd49ade13d46c944a459c0c7011d298884a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_websocket_manager.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_delete_checkpoints_for_thread_skips_when_checkpoint_disabled"}, "properties": {"repobilityId": 118539, "scanner": "repobility-ast-engine", "fingerprint": "2a57fe283fc40cd7946c2fed03b2798dfcc63b2e8b52caa6b9354476cbb73cdc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2a57fe283fc40cd7946c2fed03b2798dfcc63b2e8b52caa6b9354476cbb73cdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_checkpoint_fork_clone.py"}, "region": {"startLine": 312}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.names` used but never assigned in __init__"}, "properties": {"repobilityId": 118538, "scanner": "repobility-ast-engine", "fingerprint": "75c1d1d7bffe4967edcf7559ed36711d7fb2327d4857775d63d3f4d5414d6bfc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75c1d1d7bffe4967edcf7559ed36711d7fb2327d4857775d63d3f4d5414d6bfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/persona_preset/test_manager.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_admin_cannot_view_another_users_private_user_preset"}, "properties": {"repobilityId": 118537, "scanner": "repobility-ast-engine", "fingerprint": "a435fc18433bce85e24171edb00c52121240daa1de3729db6e8ab4badb82f0d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a435fc18433bce85e24171edb00c52121240daa1de3729db6e8ab4badb82f0d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/persona_preset/test_manager.py"}, "region": {"startLine": 421}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_invisible_preset_raises_not_found"}, "properties": {"repobilityId": 118536, "scanner": "repobility-ast-engine", "fingerprint": "78fcf18e238c1efba2d35eb970c9a4d198f894c39b0cb701731f1145d0776186", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|78fcf18e238c1efba2d35eb970c9a4d198f894c39b0cb701731f1145d0776186"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/persona_preset/test_manager.py"}, "region": {"startLine": 408}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_non_admin_cannot_publish_user_preset_as_global"}, "properties": {"repobilityId": 118535, "scanner": "repobility-ast-engine", "fingerprint": "139ef0fec0982de316c1c6881a518c12e80a461bb122b1037623af42a6cc95bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|139ef0fec0982de316c1c6881a518c12e80a461bb122b1037623af42a6cc95bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/persona_preset/test_manager.py"}, "region": {"startLine": 314}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_non_admin_cannot_create_global_preset"}, "properties": {"repobilityId": 118534, "scanner": "repobility-ast-engine", "fingerprint": "69ab946e3e5d18226bcbd0e94b2188de90e8dd92d4042320932b0fede180650f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|69ab946e3e5d18226bcbd0e94b2188de90e8dd92d4042320932b0fede180650f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/persona_preset/test_manager.py"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._iter` used but never assigned in __init__"}, "properties": {"repobilityId": 118533, "scanner": "repobility-ast-engine", "fingerprint": "1513fa4b9a2025e841a7df10191e9f57b1d94561830899b7d11002438719c9f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1513fa4b9a2025e841a7df10191e9f57b1d94561830899b7d11002438719c9f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/persona_preset/test_storage_visibility.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._iter` used but never assigned in __init__"}, "properties": {"repobilityId": 118532, "scanner": "repobility-ast-engine", "fingerprint": "a8713b3d04f9ae5aad84dd62267daf7c5dac4bfff0dd4e5b2379d3a5f352c2b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a8713b3d04f9ae5aad84dd62267daf7c5dac4bfff0dd4e5b2379d3a5f352c2b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/persona_preset/test_storage_visibility.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 118846, "scanner": "repobility-journey-contract", "fingerprint": "827f48e9cac1f54717351e483ccdd8918f974b2194b29a1806c4aee21fcdedce", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|9|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/auth/OAuthCallback.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 118799, "scanner": "gitleaks", "fingerprint": "a824e057287f9282fa9e13ac5addfb916d750bbfd54ec6909550ad7b4141c331", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|4|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/infra/test_oauth_service.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `stat` used but not imported"}, "properties": {"repobilityId": 118613, "scanner": "repobility-ast-engine", "fingerprint": "5bc4508cb4cdd39376194d389f25d897b8513bdd12dcb3153ccda27765a16dbe", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5bc4508cb4cdd39376194d389f25d897b8513bdd12dcb3153ccda27765a16dbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/storage/s3/backends/minio.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `stat` used but not imported"}, "properties": {"repobilityId": 118612, "scanner": "repobility-ast-engine", "fingerprint": "a2bf9e3ffd5311e5439c9411b1a12e38f99a9016828fa290c20d9d3a659f492a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a2bf9e3ffd5311e5439c9411b1a12e38f99a9016828fa290c20d9d3a659f492a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/monitoring/memory.py"}, "region": {"startLine": 312}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `email` used but not imported"}, "properties": {"repobilityId": 118611, "scanner": "repobility-ast-engine", "fingerprint": "632ee03265e3ac558bcdef94794c6f23f0798875bde434fe99fff7d4f9bdf3f7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|632ee03265e3ac558bcdef94794c6f23f0798875bde434fe99fff7d4f9bdf3f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/infra/auth/oauth.py"}, "region": {"startLine": 347}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `stat` used but not imported"}, "properties": {"repobilityId": 118594, "scanner": "repobility-ast-engine", "fingerprint": "c8064e34720639269d454d53a05a0a9a03f39c2fe1ad636fe967f07ab9478716", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c8064e34720639269d454d53a05a0a9a03f39c2fe1ad636fe967f07ab9478716"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/main.py"}, "region": {"startLine": 199}}}]}]}]}