{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /pr"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /probe."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 18.2% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 18.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 18.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT008", "name": "Ollama audio payload path may mislead users about direct model audio", "shortDescription": {"text": "Ollama audio payload path may mislead users about direct model audio"}, "fullDescription": {"text": "Some local LLM runtimes advertise or accept audio-shaped fields while the actual UX uses browser transcription. The UI should disclose when voice is converted to text in the browser."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "AI-assisted edits often create a new sibling file instead of integrating the change into the existing module. That leaves two paths for future maintainers to understand and can hide the code that is actually wired into the app."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `e2e` image is selected through a build variable", "shortDescription": {"text": "Compose service `e2e` image is selected through a build variable"}, "fullDescription": {"text": "Variable-selected base images can be safe, but Repobility cannot verify that the resolved image is pinned."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "A frontend journey appears to ask for consent to share identity/KYC/biometric data, but backend code does not show a consent audit model with scope, purpose, legal text version, timestamp, IP, or user-agent evidence."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/343"}, "properties": {"repository": "tinyhumansai/openhuman", "repoUrl": "https://github.com/tinyhumansai/openhuman.git", "branch": "main"}, "results": [{"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 10917, "scanner": "repobility-journey-contract", "fingerprint": "487ba048791b1a931e603d9e9f677821530ed58df28ade3556545f7b49ff8c8b", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|219|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/configPersistence.ts"}, "region": {"startLine": 219}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 10916, "scanner": "repobility-journey-contract", "fingerprint": "77145cb9045d8e4650c519fe50be28a67dff003a60c2078339eeaed43736100b", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|202|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/configPersistence.ts"}, "region": {"startLine": 202}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 10915, "scanner": "repobility-journey-contract", "fingerprint": "c61bc8ca3da779205d1fd3a85ea09037c052776d48671dd6695da83afe0e7964", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|60|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/coreModeSlice.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /probe."}, "properties": {"repobilityId": 10914, "scanner": "repobility-access-control", "fingerprint": "1ede81dc63000d2c60700856e892a63ebb3b7f91107a9b0d5304c2d4caeb4cf2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/probe", "method": "ANY", "scanner": "repobility-access-control", "framework": "Actix", "correlation_key": "code|auth|src/api/rest_tests.rs|188|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/rest_tests.rs"}, "region": {"startLine": 188}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 18.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 10913, "scanner": "repobility-access-control", "fingerprint": "ae0e7b4007a228cab07ec453f8cb9c117341ab68ff3dea44fb2d51291624b5e0", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 44, "correlation_key": "fp|ae0e7b4007a228cab07ec453f8cb9c117341ab68ff3dea44fb2d51291624b5e0", "auth_visible_percent": 18.2}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 10912, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Actix", "Axum"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 10909, "scanner": "repobility-docker", "fingerprint": "e934807ed7f25492c22e61e7dab3ac09998d87533437466d526f5399801e0cdc", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:22.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e934807ed7f25492c22e61e7dab3ac09998d87533437466d526f5399801e0cdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 10903, "scanner": "repobility-docker", "fingerprint": "4f231211c7d99915271b0839f519a39b956013e34c7ce04792275f68dcf3bebb", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:22.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4f231211c7d99915271b0839f519a39b956013e34c7ce04792275f68dcf3bebb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 10900, "scanner": "repobility-threat-engine", "fingerprint": "76f6efcd1c7652dd306d7edc263faf37cad7d1957d4b038f749bc09af87d21ad", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|34|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/conversations/utils/workerThreadRef.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 10891, "scanner": "repobility-threat-engine", "fingerprint": "1550948315f6f851255f5d664c662bfff217dc5c6462f69abda5bee8ab2e17bc", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1550948315f6f851255f5d664c662bfff217dc5c6462f69abda5bee8ab2e17bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_video/camera_bridge.js"}, "region": {"startLine": 138}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 10890, "scanner": "repobility-threat-engine", "fingerprint": "9d81123cbeb98a1eb62f29ce49a9ac4ea6d193a0e3a1706494c950d5e488ba9a", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(function () {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d81123cbeb98a1eb62f29ce49a9ac4ea6d193a0e3a1706494c950d5e488ba9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/webview_accounts/runtime.js"}, "region": {"startLine": 159}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 10889, "scanner": "repobility-threat-engine", "fingerprint": "61c34d6c620b75eaebc1ce3a4f51611cd02e167de0c49c1cbfe21e450b1b3b77", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|61c34d6c620b75eaebc1ce3a4f51611cd02e167de0c49c1cbfe21e450b1b3b77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/recipes/google-meet/recipe.js"}, "region": {"startLine": 47}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10888, "scanner": "repobility-agent-runtime", "fingerprint": "0efe38aa8f780a750e6c9210e333ea4705df2fd666dd890325d3cfe7defd168c", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|0efe38aa8f780a750e6c9210e333ea4705df2fd666dd890325d3cfe7defd168c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/userScopedStorage.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10887, "scanner": "repobility-agent-runtime", "fingerprint": "29510b4863409535d0b7e0f10f369a57da0919b9ad263d7c05ce0960c8ed07a8", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|29510b4863409535d0b7e0f10f369a57da0919b9ad263d7c05ce0960c8ed07a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/index.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10886, "scanner": "repobility-agent-runtime", "fingerprint": "85077487b977acb768a2239a954aa7f0906d801fbc9f633935eea39e0b6c3d9d", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|85077487b977acb768a2239a954aa7f0906d801fbc9f633935eea39e0b6c3d9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/onboarding/components/BetaBanner.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "AGT008", "level": "warning", "message": {"text": "Ollama audio payload path may mislead users about direct model audio"}, "properties": {"repobilityId": 10885, "scanner": "repobility-agent-runtime", "fingerprint": "d0f6edb33e4edf36079cd5f1b1594bc92a679a693e7a820b3f14f5b75d1757fe", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Ollama and an audios payload without an obvious capability check or browser-transcription disclosure.", "evidence": {"rule_id": "AGT008", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d0f6edb33e4edf36079cd5f1b1594bc92a679a693e7a820b3f14f5b75d1757fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Conversations.tsx"}, "region": {"startLine": 637}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10884, "scanner": "repobility-agent-runtime", "fingerprint": "4b59d9c309d7898774d889516bb9629dbf408c609c23d7e3b9976e796be7a409", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|4b59d9c309d7898774d889516bb9629dbf408c609c23d7e3b9976e796be7a409"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/overlay/OverlayApp.tsx"}, "region": {"startLine": 412}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10883, "scanner": "repobility-agent-runtime", "fingerprint": "45bedb785873b064349b6bb7a3079182469c837778c9bd95fafc1abef00d5aad", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|45bedb785873b064349b6bb7a3079182469c837778c9bd95fafc1abef00d5aad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/AgentChatPanel.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10882, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83c2d9392fafdbf96fce0f2bcda0c50ec17e078c2fc4fb4f9ae354bda21678eb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/slack_scanner/idb.rs", "duplicate_line": 11, "correlation_key": "fp|83c2d9392fafdbf96fce0f2bcda0c50ec17e078c2fc4fb4f9ae354bda21678eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/idb.rs"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10881, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ce9aa4bbf38ddc3235017167886d00dcfc0e6ff15c86cd303b5f7747bd433b13", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/discord_scanner/dom_snapshot.rs", "duplicate_line": 26, "correlation_key": "fp|ce9aa4bbf38ddc3235017167886d00dcfc0e6ff15c86cd303b5f7747bd433b13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/dom_snapshot.rs"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10880, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee1be7c425fdd37eb067e6ce94a5321bce51d98b2dcbdb185540ce920846cb27", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/conn.rs", "duplicate_line": 9, "correlation_key": "fp|ee1be7c425fdd37eb067e6ce94a5321bce51d98b2dcbdb185540ce920846cb27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/mod.rs"}, "region": {"startLine": 505}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10879, "scanner": "repobility-ai-code-hygiene", "fingerprint": "972b994f6fbeb05629567270683524937625e54f993c86442abbdc1f9afe3ae4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/target.rs", "duplicate_line": 39, "correlation_key": "fp|972b994f6fbeb05629567270683524937625e54f993c86442abbdc1f9afe3ae4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/mod.rs"}, "region": {"startLine": 468}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10878, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7497c0c80ad591084a1cc067f4c28a97f0f9e015de1238986a7ee810b342345d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/discord_scanner/mod.rs", "duplicate_line": 15, "correlation_key": "fp|7497c0c80ad591084a1cc067f4c28a97f0f9e015de1238986a7ee810b342345d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/mod.rs"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10877, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99d1fe5f42f514a25af85729ee1c6957c6086d11cee0281abc0068c3a41abda6", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/gmessages_scanner/cdp_walk.rs", "duplicate_line": 68, "correlation_key": "fp|99d1fe5f42f514a25af85729ee1c6957c6086d11cee0281abc0068c3a41abda6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/idb.rs"}, "region": {"startLine": 144}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10876, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d78f733177a6658d84a15d9f7a9a389be921106b046cb5581907ac06c92e007b", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/discord_scanner/dom_snapshot.rs", "duplicate_line": 1, "correlation_key": "fp|d78f733177a6658d84a15d9f7a9a389be921106b046cb5581907ac06c92e007b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/dom_snapshot.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10875, "scanner": "repobility-ai-code-hygiene", "fingerprint": "05883ea93ab315e5a849c7df62ca3a9563ec82c9752ed560560ea10a10695766", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/meet_audio/inject.rs", "duplicate_line": 82, "correlation_key": "fp|05883ea93ab315e5a849c7df62ca3a9563ec82c9752ed560560ea10a10695766"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_video/inject.rs"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10874, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d396e0ff3bda229f9b970511c11f729f78cc55ed6abfeb1672e06df84d9e2261", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/meet_audio/inject.rs", "duplicate_line": 56, "correlation_key": "fp|d396e0ff3bda229f9b970511c11f729f78cc55ed6abfeb1672e06df84d9e2261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_scanner/mod.rs"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10873, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ef3b893b196419e58d402a6a39c59ce67d7974e7647b7f53c322d3c92e37d829", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/gmessages_scanner/mod.rs", "duplicate_line": 30, "correlation_key": "fp|ef3b893b196419e58d402a6a39c59ce67d7974e7647b7f53c322d3c92e37d829"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/imessage_scanner/mod.rs"}, "region": {"startLine": 321}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10872, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b4a842fe4cf070d28776150cb14e52ef962fec95d55405cdce520722f27020a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/conn.rs", "duplicate_line": 9, "correlation_key": "fp|6b4a842fe4cf070d28776150cb14e52ef962fec95d55405cdce520722f27020a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/discord_scanner/mod.rs"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10871, "scanner": "repobility-ai-code-hygiene", "fingerprint": "edf17c8355b4f0ed468680b5153516941ec9dbcabd63432c5e07c1ad584ca896", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/target.rs", "duplicate_line": 39, "correlation_key": "fp|edf17c8355b4f0ed468680b5153516941ec9dbcabd63432c5e07c1ad584ca896"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/discord_scanner/mod.rs"}, "region": {"startLine": 110}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 10870, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3fc1edb80dfb220f4ade01d077fce6d73615380c27622cde42f32df43ecec54c", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "clean", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "src/openhuman/memory/tree/canonicalize/email.rs", "correlation_key": "fp|3fc1edb80dfb220f4ade01d077fce6d73615380c27622cde42f32df43ecec54c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/memory/tree/canonicalize/email_clean.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 10869, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b3a7eecd2d43871e24ea00e7a56d9b175798254ce8027df32526c095053de9f5", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "alt", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "remotion/src/Mascot/mascot-yellow-wave.tsx", "correlation_key": "fp|b3a7eecd2d43871e24ea00e7a56d9b175798254ce8027df32526c095053de9f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "remotion/src/Mascot/mascot-yellow-wave-alt.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 10910, "scanner": "repobility-docker", "fingerprint": "6f82f915669a3638c3fe710128387245754ace6c0cefb8f31b1875c230b1ae57", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "openhuman-core", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6f82f915669a3638c3fe710128387245754ace6c0cefb8f31b1875c230b1ae57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 10908, "scanner": "repobility-docker", "fingerprint": "43c255baecb533f81fa04d72ef6a3a965b71248510674972964189545c0e4abd", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|43c255baecb533f81fa04d72ef6a3a965b71248510674972964189545c0e4abd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 10905, "scanner": "repobility-docker", "fingerprint": "e26b372d9d731d47aae7631256ea92261dbf4e179d697ec7b995fd178aab99f9", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e26b372d9d731d47aae7631256ea92261dbf4e179d697ec7b995fd178aab99f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 10904, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `e2e` image is selected through a build variable"}, "properties": {"repobilityId": 10911, "scanner": "repobility-docker", "fingerprint": "1d0e9c807aadc532a749d3ab156b7556d660de117d08d6cf8f04529fa0e39e5c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${OPENHUMAN_CI_IMAGE:-ghcr.io/tinyhumansai/openhuman_ci:latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1d0e9c807aadc532a749d3ab156b7556d660de117d08d6cf8f04529fa0e39e5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 10899, "scanner": "repobility-threat-engine", "fingerprint": "015624d54588e78b188bc9104a95afc6319bd4ac8d54e067e19d0b8385b57e46", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.debug('[memory] syncMemoryClientToken: <redacted> \u2014 skipped (not Tauri)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|8|console.debug memory syncmemoryclienttoken: redacted skipped not tauri"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/tauriCommands/memory.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 10898, "scanner": "repobility-threat-engine", "fingerprint": "6f7bccfb806b6f994ced3a577ada1d1f176909c9c0fe6b3f4c3d8ae04e9a2f28", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.debug('[configPersistence] Stored core token (cloud mode)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|21|console.debug configpersistence stored core token cloud mode"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/configPersistence.ts"}, "region": {"startLine": 220}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 10897, "scanner": "repobility-threat-engine", "fingerprint": "71437094899e087d012e34c909d026c76b82ca0c89436d075cb270e3992cb3b9", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.warn('[DeepLink] URL did not contain a token query parameter')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|10|console.warn deeplink url did not contain a token query parameter"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/desktopDeepLinkListener.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 10896, "scanner": "repobility-threat-engine", "fingerprint": "ed3769a4ea3a3aeb3b1fd74c33a316d9452004c8aff6770390b3265ad0543e09", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ed3769a4ea3a3aeb3b1fd74c33a316d9452004c8aff6770390b3265ad0543e09"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10895, "scanner": "repobility-threat-engine", "fingerprint": "a930699a5b77c7407e13c615ed42d0956012af7420debcfeff8989b329e88e24", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|77|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Intelligence.tsx"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10894, "scanner": "repobility-threat-engine", "fingerprint": "133cd7a0aa39891f85c6121ae9c725fbbcaa93dbcefaae9aa9a04461c1d4460f", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|app/src/pages/accounts.tsx|40|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Accounts.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10893, "scanner": "repobility-threat-engine", "fingerprint": "48f304abcfea4752a3392db7e385376dd3f225994e7c32b8873be7c61648e337", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|app/src/pages/skills.tsx|303|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Skills.tsx"}, "region": {"startLine": 303}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 10892, "scanner": "repobility-threat-engine", "fingerprint": "5c81d47da75c572182ad0e4e4629636dbf842fd65f2c830612248897d6fb397f", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5c81d47da75c572182ad0e4e4629636dbf842fd65f2c830612248897d6fb397f"}}}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 10920, "scanner": "repobility-journey-contract", "fingerprint": "d0f92091c0376412abe18fc4fac2026732e3a17f44e8443e3a4569dd2dc2eead", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|281|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/ComposioPanel.tsx"}, "region": {"startLine": 281}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 10919, "scanner": "repobility-journey-contract", "fingerprint": "1232694db8c2b2fc5cecfba646d9c6ae31fbf053f3eac027f687dded4384d329", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|465|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/BackendProviderPanel.tsx"}, "region": {"startLine": 465}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 10918, "scanner": "repobility-journey-contract", "fingerprint": "adb2e33a5d089541e1ce0166e3d355f9dd76d33fbbcafd7abd2ed476194d2067", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|741|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 0}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/composio/ComposioConnectModal.tsx"}, "region": {"startLine": 741}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 10907, "scanner": "repobility-docker", "fingerprint": "b942048308d9a1df4ccd79cb9bba15a44e57079daee70c2d67ff135c171c0e51", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b942048308d9a1df4ccd79cb9bba15a44e57079daee70c2d67ff135c171c0e51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 10906, "scanner": "repobility-docker", "fingerprint": "1711f825ac45df78e3a4d6f0de2a7c6f0153a0312b9d855bf07616f139b56f4d", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1711f825ac45df78e3a4d6f0de2a7c6f0153a0312b9d855bf07616f139b56f4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 10902, "scanner": "repobility-docker", "fingerprint": "61773614b6c44909c6ba1fbcbe9381ccf2968b4c062a24692a4515456f2f87af", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|61773614b6c44909c6ba1fbcbe9381ccf2968b4c062a24692a4515456f2f87af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/Dockerfile"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 10901, "scanner": "repobility-docker", "fingerprint": "b38a7d84de644662090102786f9677b2b25ff23cbe9537cca643e3d6d93de5cb", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b38a7d84de644662090102786f9677b2b25ff23cbe9537cca643e3d6d93de5cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/Dockerfile"}, "region": {"startLine": 46}}}]}]}]}