{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /no"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /statistics."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 44.7% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 44.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC105", "name": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted ove", "shortDescription": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "fullDescription": {"text": "Always set HttpOnly=true, Secure=true (in production), SameSite=Lax or Strict. For Express: `res.cookie(name, val, { httpOnly: true, secure: true, sameSite: 'lax' })`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `load_areas_txt` has cognitive complexity 9 (SonarSource scale). Cognitive", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `load_areas_txt` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 9."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.", "shortDescription": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED098] Global Scope Pollution (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 5 more): Same pattern found in 5 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 19 more): Same pattern found in 19 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /terminal/porky/end has no auth: Express route POST /terminal/porky/end declared without an auth", "shortDescription": {"text": "[MINED113] Express POST /terminal/porky/end has no auth: Express route POST /terminal/porky/end declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:20"}, "fullDescription": {"text": "Add an auth middleware: app.post('/terminal/porky/end', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /terminal/scripts/:scriptId."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1418"}, "properties": {"repository": "jaktestowac/rolnopol", "repoUrl": "https://github.com/jaktestowac/rolnopol", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 145462, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 145461, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145456, "scanner": "repobility-journey-contract", "fingerprint": "4db147e7d7c1e5482efb261acd775d996d1057e91a9d25e1ca1f6fb648b15b4b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/easter-eggs/firefly-jar", "correlation_key": "fp|4db147e7d7c1e5482efb261acd775d996d1057e91a9d25e1ca1f6fb648b15b4b", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/firefly-notification-plugin/index.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145455, "scanner": "repobility-journey-contract", "fingerprint": "21a51641d6faf40e5b59af677543bcaf4e47dc08d6079a4c72b85ff0c0e28dbc", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/messenger", "correlation_key": "fp|21a51641d6faf40e5b59af677543bcaf4e47dc08d6079a4c72b85ff0c0e28dbc", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/feature-flag-watcher/index.js"}, "region": {"startLine": 52}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145454, "scanner": "repobility-journey-contract", "fingerprint": "e62a672baf90df5e75ab4d72c6941c961058715f95e9eb026136767e1c7292fc", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/feature-flag-watcher", "correlation_key": "fp|e62a672baf90df5e75ab4d72c6941c961058715f95e9eb026136767e1c7292fc", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/feature-flag-watcher/index.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145453, "scanner": "repobility-journey-contract", "fingerprint": "5c152c13f1231f7acf2763496cf07697c5a3306d80b212b15a0bba868657ca26", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/ping", "correlation_key": "fp|5c152c13f1231f7acf2763496cf07697c5a3306d80b212b15a0bba868657ca26", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/barn-whisper-ping-plugin/index.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145452, "scanner": "repobility-journey-contract", "fingerprint": "003491bf75ae66def7dfd6c09e577db94511caaca2a4f93665157ec0c1a81613", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/testing/webhooks/sink", "correlation_key": "fp|003491bf75ae66def7dfd6c09e577db94511caaca2a4f93665157ec0c1a81613", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "controllers/testing.controller.js"}, "region": {"startLine": 51}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145451, "scanner": "repobility-journey-contract", "fingerprint": "ff5c146df1aa777a42e351d61a72198c772a17e344748c391272c76dc386bb40", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/testing/webhooks/sink", "correlation_key": "fp|ff5c146df1aa777a42e351d61a72198c772a17e344748c391272c76dc386bb40", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "controllers/testing.controller.js"}, "region": {"startLine": 34}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145450, "scanner": "repobility-journey-contract", "fingerprint": "7362b40331b101db6eca6c1d73ffe1e8ee72bc1b1fe4f2262d63d6ab9bd0491f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/notifications/trigger", "correlation_key": "fp|7362b40331b101db6eca6c1d73ffe1e8ee72bc1b1fe4f2262d63d6ab9bd0491f", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "controllers/notification-center.controller.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145449, "scanner": "repobility-journey-contract", "fingerprint": "7938c6b21f6ee805bcaa5af920658b47da61ef8942ae459bc8371ee312256430", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/notifications/trigger", "correlation_key": "fp|7938c6b21f6ee805bcaa5af920658b47da61ef8942ae459bc8371ee312256430", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "controllers/notification-center.controller.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145448, "scanner": "repobility-journey-contract", "fingerprint": "e2d4c45e9c7469022cd8b12e047a37b4eeb35a1ce177660b86a6c5b484235c1c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/notifications/test-event", "correlation_key": "fp|e2d4c45e9c7469022cd8b12e047a37b4eeb35a1ce177660b86a6c5b484235c1c", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "controllers/notification-center.controller.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145447, "scanner": "repobility-journey-contract", "fingerprint": "885cf3e12a87fbaa787fe2178382c7bdb169398fd176df517c506a7ac125a6d7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/notifications/test-event", "correlation_key": "fp|885cf3e12a87fbaa787fe2178382c7bdb169398fd176df517c506a7ac125a6d7", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "controllers/notification-center.controller.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145446, "scanner": "repobility-journey-contract", "fingerprint": "e6475d21e567a0f3e927d2f83ddf5e69a637f8bead7ea5bb63476276bfd71225", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/notifications/ws", "correlation_key": "fp|e6475d21e567a0f3e927d2f83ddf5e69a637f8bead7ea5bb63476276bfd71225", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "controllers/notification-center.controller.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145445, "scanner": "repobility-journey-contract", "fingerprint": "3bdaad36543bb3c9e771ed55e65ac761a567ac863eadcec0c1cbc3f04898d561", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/notifications/events", "correlation_key": "fp|3bdaad36543bb3c9e771ed55e65ac761a567ac863eadcec0c1cbc3f04898d561", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "controllers/notification-center.controller.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145444, "scanner": "repobility-journey-contract", "fingerprint": "f8b7102365e773e75553d152ab1392c84d5745a4fb5b36f2aae43c456255104d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/notifications/health", "correlation_key": "fp|f8b7102365e773e75553d152ab1392c84d5745a4fb5b36f2aae43c456255104d", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "controllers/notification-center.controller.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145443, "scanner": "repobility-journey-contract", "fingerprint": "cc0c73ec940a6ddb18a26e0d260270e2650859b28569364ee9008c058a7be433", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v2", "correlation_key": "fp|cc0c73ec940a6ddb18a26e0d260270e2650859b28569364ee9008c058a7be433", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/index.js"}, "region": {"startLine": 525}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 145442, "scanner": "repobility-journey-contract", "fingerprint": "443ec16fe17bac11627519dbcca8eaf1f64ee740ef6b35d840921f9261688049", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/logs", "correlation_key": "fp|443ec16fe17bac11627519dbcca8eaf1f64ee740ef6b35d840921f9261688049", "backend_endpoint_count": 38}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/index.js"}, "region": {"startLine": 520}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /notifications/count."}, "properties": {"repobilityId": 145441, "scanner": "repobility-access-control", "fingerprint": "916104a96000546ae113b810df76d6ce79e4048cb70095715a854c0b91e54ea5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/notifications/count", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|5|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/v1/notification-count.route.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /terminal/radio."}, "properties": {"repobilityId": 145440, "scanner": "repobility-access-control", "fingerprint": "3e63f5e0884723cf9835ff4c68735ee9d7569507909f257864fe395a685e8f5f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/terminal/radio", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|routes/v1/terminal.route.js|2072|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/v1/terminal.route.js"}, "region": {"startLine": 2072}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /terminal/bootstrap."}, "properties": {"repobilityId": 145439, "scanner": "repobility-access-control", "fingerprint": "b090ea2b2ea994a5aa5062ed895d1040549df2150d0906176cca90080289847f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/terminal/bootstrap", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|routes/v1/terminal.route.js|2056|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/v1/terminal.route.js"}, "region": {"startLine": 2056}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /terminal."}, "properties": {"repobilityId": 145438, "scanner": "repobility-access-control", "fingerprint": "f0b1f2ae8d3171570ecf54d4ca31c1690f63253f22471f455184377560223467", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/terminal", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|routes/v1/terminal.route.js|2041|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/v1/terminal.route.js"}, "region": {"startLine": 2041}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /debug/database/restore-base."}, "properties": {"repobilityId": 145437, "scanner": "repobility-access-control", "fingerprint": "7bb6a21261fcbb0de12f0cbdbe305de7cab2ca7beb80c5365efbd2607e2946f7", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/debug/database/restore-base", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|routes/debug.route.js|52|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/debug.route.js"}, "region": {"startLine": 52}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /debug."}, "properties": {"repobilityId": 145436, "scanner": "repobility-access-control", "fingerprint": "3d1417f4e57ed99e5fc699c74599d9c55d80b994bbfa65ae766e939161c32079", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/debug", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|routes/debug.route.js|8|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/debug.route.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /."}, "properties": {"repobilityId": 145435, "scanner": "repobility-access-control", "fingerprint": "2b3fc19ed545d52661bae6cd4d8a3194c05f562b934784f3c54393625a1c75a7", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|routes/logs.route.js|6|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/logs.route.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /statistics."}, "properties": {"repobilityId": 145434, "scanner": "repobility-access-control", "fingerprint": "e6aa0f2ad4229322726bda8d349f035d60d65d8956a16bf0c9c065b90ae1e852", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/statistics", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|routes/v1/index.js|48|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/v1/index.js"}, "region": {"startLine": 48}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /health/memory."}, "properties": {"repobilityId": 145433, "scanner": "repobility-access-control", "fingerprint": "dca31bdd035cf9992e61cd22076880e07764989359872689f961808538f2e456", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/health/memory", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|99|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/v1/healthcheck.route.js"}, "region": {"startLine": 99}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /health/databases."}, "properties": {"repobilityId": 145432, "scanner": "repobility-access-control", "fingerprint": "f07ce84c50f3674c6b10ba0e75430910b7cc2fcfc35a7180fa13a819e1c84903", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/health/databases", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|72|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/v1/healthcheck.route.js"}, "region": {"startLine": 72}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /."}, "properties": {"repobilityId": 145431, "scanner": "repobility-access-control", "fingerprint": "d2ec300fce41b3788589bb5797e8675173cbf8dbf169f24661196e30013ce4e5", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|routes/contact.route.js|11|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/contact.route.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 44.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 145429, "scanner": "repobility-access-control", "fingerprint": "522027cedf498bbac01bdb141a3d8f98be36962a8ed23f7da0221bd0673e46ca", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 38, "correlation_key": "fp|522027cedf498bbac01bdb141a3d8f98be36962a8ed23f7da0221bd0673e46ca", "auth_visible_percent": 44.7}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 145428, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 145427, "scanner": "repobility-agent-runtime", "fingerprint": "8286401160aa9840f86d8aa84afae7efecde5eaac8b48354d1e9a09169ee6b87", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|8286401160aa9840f86d8aa84afae7efecde5eaac8b48354d1e9a09169ee6b87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/services/feature-flags-service.js"}, "region": {"startLine": 94}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 145426, "scanner": "repobility-agent-runtime", "fingerprint": "2ac4d7608ff3c70717e9b6d3c91775a18e3c6c2655d35ce690de5b583b3033ab", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|2ac4d7608ff3c70717e9b6d3c91775a18e3c6c2655d35ce690de5b583b3033ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/tasks.js"}, "region": {"startLine": 797}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 145425, "scanner": "repobility-agent-runtime", "fingerprint": "001d10deb929f6c107a91bd789b08d9661fa27bd3da6a924cbc25c6d7316da4e", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|001d10deb929f6c107a91bd789b08d9661fa27bd3da6a924cbc25c6d7316da4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/status.js"}, "region": {"startLine": 75}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 145424, "scanner": "repobility-agent-runtime", "fingerprint": "59410ba2ca0c0c58a59b1cb7022b1458889ba413d2292e400930d156b2b78522", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|59410ba2ca0c0c58a59b1cb7022b1458889ba413d2292e400930d156b2b78522"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/farmlog.js"}, "region": {"startLine": 653}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 145423, "scanner": "repobility-agent-runtime", "fingerprint": "980cb38343ea147235554a4ae2425be4ca2b21f49932548a5563393fd357433c", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|980cb38343ea147235554a4ae2425be4ca2b21f49932548a5563393fd357433c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/app.js"}, "region": {"startLine": 822}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 145409, "scanner": "repobility-threat-engine", "fingerprint": "ab65c686e0300a9fd8d61f00cdd8ec111f0efcc05f0da0cc4c4b94486faa5668", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug=true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ab65c686e0300a9fd8d61f00cdd8ec111f0efcc05f0da0cc4c4b94486faa5668"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/debug.route.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 145408, "scanner": "repobility-threat-engine", "fingerprint": "9fb7fa5c5fb458f38b72545ccb9caf4b8d40e96a09e22a3f74e2023187585c9d", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = redirectUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9fb7fa5c5fb458f38b72545ccb9caf4b8d40e96a09e22a3f74e2023187585c9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/services/auth-service.js"}, "region": {"startLine": 240}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 145406, "scanner": "repobility-threat-engine", "fingerprint": "951268852f7504f7aec542badc78d8522f5c78398aeedd21aaf71a89baedb0e3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (_) {\n      return [];\n    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|951268852f7504f7aec542badc78d8522f5c78398aeedd21aaf71a89baedb0e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/status.js"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 145405, "scanner": "repobility-threat-engine", "fingerprint": "9a8f29a9742599c2392abe2718b9885b4cf0a64ff00534d96856ca7a02e2643d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (error) {\n      return true;\n    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9a8f29a9742599c2392abe2718b9885b4cf0a64ff00534d96856ca7a02e2643d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/staff-fields-export.js"}, "region": {"startLine": 57}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 145404, "scanner": "repobility-threat-engine", "fingerprint": "1b04bac34321fba465c954282c899c1c1ffb378683dba504e8ce90903852ee6d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1b04bac34321fba465c954282c899c1c1ffb378683dba504e8ce90903852ee6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/debug-database-restore.service.js"}, "region": {"startLine": 98}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 145403, "scanner": "repobility-threat-engine", "fingerprint": "eb085e7c0afe7dd0985400e531d857d43d707fe9ddebfa1ec161d610cc9d7ea7", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eb085e7c0afe7dd0985400e531d857d43d707fe9ddebfa1ec161d610cc9d7ea7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/fieldmap.js"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 145381, "scanner": "repobility-threat-engine", "fingerprint": "94afd70172f8fd1d60ec40d25b1aa793fe88d135abe41a81c541ea99d72967b2", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password=\"<redacted>\"", "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|public/js/pages/login.js|2|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/login.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 145380, "scanner": "repobility-threat-engine", "fingerprint": "3c12f3afda662594d63465d44516e2278806d3432063603d598fabd500702db5", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.8 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password = \"<redacted>\"", "reason": "Low entropy value (2.8 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|helpers/logger-api.js|14|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/logger-api.js"}, "region": {"startLine": 146}}}]}, {"ruleId": "SEC105", "level": "warning", "message": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "properties": {"repobilityId": 145375, "scanner": "repobility-threat-engine", "fingerprint": "1065be178479ae0a8cc369d35495574f6d4d5cad8f26e1c2ff92317e9ec00629", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".cookie(\"rolnopolToken\", result.token, {\n        maxAge: result.cookieMaxAge,\n        httpOnly: fals", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC105", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1065be178479ae0a8cc369d35495574f6d4d5cad8f26e1c2ff92317e9ec00629"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "controllers/auth.controller.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 145370, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 145460, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 145459, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 145458, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 145457, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145422, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6cc0952d53f3768483dd958e3b4bb2bc81f93935400393f50230dc2e2f0aaec5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "services/messenger.service.js", "duplicate_line": 46, "correlation_key": "fp|6cc0952d53f3768483dd958e3b4bb2bc81f93935400393f50230dc2e2f0aaec5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/user.service.js"}, "region": {"startLine": 199}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145421, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ddf240eed95fa97537edc25dd0aa67a7ebee6fffb406a508d9e4b81e96b82cea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "services/blog.service.js", "duplicate_line": 7, "correlation_key": "fp|ddf240eed95fa97537edc25dd0aa67a7ebee6fffb406a508d9e4b81e96b82cea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/post.service.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145420, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f340a05fdc0480bb345c05a5ae8f62979cb85316ae1ba6183ea3aeeb1d00cb4f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "services/messenger-ws.service.js", "duplicate_line": 25, "correlation_key": "fp|f340a05fdc0480bb345c05a5ae8f62979cb85316ae1ba6183ea3aeeb1d00cb4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/notification-ws.service.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145419, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3fc13ef2a4f4114bbdbe26791f31574d6c3fe641cb7d7e7080ba58059092829e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/js/api.js", "duplicate_line": 11, "correlation_key": "fp|3fc13ef2a4f4114bbdbe26791f31574d6c3fe641cb7d7e7080ba58059092829e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/services/api-service.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145418, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84e54be6b4d7f647ec7d46e8c104fa512f31026dd7e7eaff8f670968b7c1fceb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/js/pages/farmer-tape-recorder.js", "duplicate_line": 152, "correlation_key": "fp|84e54be6b4d7f647ec7d46e8c104fa512f31026dd7e7eaff8f670968b7c1fceb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/labyrinth.js"}, "region": {"startLine": 212}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145417, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a8e6103e4ca2f83b6ad56d06abba391610c5e6ade3d4a7d795d5ef45e1ad9fd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/js/pages/alerts-ai-widget.js", "duplicate_line": 53, "correlation_key": "fp|3a8e6103e4ca2f83b6ad56d06abba391610c5e6ade3d4a7d795d5ef45e1ad9fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/docs-ai-widget.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145416, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c934bcf2aaef8e9800fa8bfa609b763479bdaa566cdb06f19c86ba823e2bb153", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/js/components.js", "duplicate_line": 1, "correlation_key": "fp|c934bcf2aaef8e9800fa8bfa609b763479bdaa566cdb06f19c86ba823e2bb153"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/init.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145415, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aad7293dfeb75a6ea1fa63faafd5bba1e37241ca03d5868df25557f2917fce54", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/firefly-notification-plugin/index.js", "duplicate_line": 24, "correlation_key": "fp|aad7293dfeb75a6ea1fa63faafd5bba1e37241ca03d5868df25557f2917fce54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/secret-garden-route-plugin/index.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145414, "scanner": "repobility-ai-code-hygiene", "fingerprint": "793161975659feaafc31e10e5a7bb0e9837a69292ef8fd89a629467fb0093467", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "controllers/personal-api-key.controller.js", "duplicate_line": 71, "correlation_key": "fp|793161975659feaafc31e10e5a7bb0e9837a69292ef8fd89a629467fb0093467"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "controllers/webhook.controller.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 145413, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c9cc0b2f87ebb5edac1f45ee355774be04c983fa57a2aa2f82857c2b11b37e80", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "controllers/blog.controller.js", "duplicate_line": 8, "correlation_key": "fp|c9cc0b2f87ebb5edac1f45ee355774be04c983fa57a2aa2f82857c2b11b37e80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "controllers/post.controller.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 145397, "scanner": "repobility-threat-engine", "fingerprint": "526d1eb7808080ec4bff54e19933632b6a332341d11516275b666c71e2f54fda", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|161|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/components/notification.js"}, "region": {"startLine": 161}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 145396, "scanner": "repobility-threat-engine", "fingerprint": "0ff9170bc7f103bd9c51a655f75408a11cf663a81debd3d6e0c8b98542165ea0", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|209|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/components/navigation.js"}, "region": {"startLine": 209}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 145395, "scanner": "repobility-threat-engine", "fingerprint": "23b8bf4aa401f150b827c0b4af175b1ab3e40a870072f67d1251721d45512278", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|69|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/components/cookie-consent.js"}, "region": {"startLine": 69}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `load_areas_txt` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, except=1, for=1, if=2, nested_bonus=3."}, "properties": {"repobilityId": 145391, "scanner": "repobility-threat-engine", "fingerprint": "5063c187b928272f907cf8331691902074b2fad5beacb9d4258ff9902e597107", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "load_areas_txt", "breakdown": {"if": 2, "for": 1, "except": 1, "continue": 2, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|5063c187b928272f907cf8331691902074b2fad5beacb9d4258ff9902e597107"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/data/script-to-update-areas.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `update_json` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=2, if=2, nested_bonus=6, or=1."}, "properties": {"repobilityId": 145390, "scanner": "repobility-threat-engine", "fingerprint": "a05946f3ff40c5d7f474a166c93874c0ba3bc9f60754791bd8c8abd2d58d02a2", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "update_json", "breakdown": {"if": 2, "or": 1, "for": 2, "nested_bonus": 6}, "complexity": 11, "correlation_key": "fp|a05946f3ff40c5d7f474a166c93874c0ba3bc9f60754791bd8c8abd2d58d02a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/data/script-to-update-areas.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 145369, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 145411, "scanner": "repobility-threat-engine", "fingerprint": "ba36390df3061e00553580d6f2af9657598238c1948e1b1df50231e28611fc1c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba36390df3061e00553580d6f2af9657598238c1948e1b1df50231e28611fc1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/debug.route.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 145407, "scanner": "repobility-threat-engine", "fingerprint": "eb46a32316e09f6cad8e778016ad1e219fe3da06867ad8e9e6d6c9236e27f052", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|15|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/terminal-api-client.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 145402, "scanner": "repobility-threat-engine", "fingerprint": "44490633b02056e6290fab51aad09ccc0975b53bd367c3aa28d043668bf50879", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|44490633b02056e6290fab51aad09ccc0975b53bd367c3aa28d043668bf50879", "aggregated_count": 12}}}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 145401, "scanner": "repobility-threat-engine", "fingerprint": "1f680d3c72002b9315abacc62bf286dd110c7645ceac5c158856da3f186f6149", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1f680d3c72002b9315abacc62bf286dd110c7645ceac5c158856da3f186f6149"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/components/navigation.js"}, "region": {"startLine": 379}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 145400, "scanner": "repobility-threat-engine", "fingerprint": "21f7891b08be927895402e233d77c666929cfd4f8a2b7fc74651387efa0af214", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21f7891b08be927895402e233d77c666929cfd4f8a2b7fc74651387efa0af214"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/components/form.js"}, "region": {"startLine": 319}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 145399, "scanner": "repobility-threat-engine", "fingerprint": "55d091912d9b1ce5fdd1e7fe26d84761d47267f7fcf9f82eabcc150ce646d534", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|55d091912d9b1ce5fdd1e7fe26d84761d47267f7fcf9f82eabcc150ce646d534"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/components/cookie-consent.js"}, "region": {"startLine": 167}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 145398, "scanner": "repobility-threat-engine", "fingerprint": "ba3aacacd2a33ee50afdca6450d1bdf5da55ce372033095b443ee81ae02c9f49", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ba3aacacd2a33ee50afdca6450d1bdf5da55ce372033095b443ee81ae02c9f49"}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 145394, "scanner": "repobility-threat-engine", "fingerprint": "64db77b12b74f3d4f19b4d770aedbfcd3d8dc3ca1b6798c885a2c760181920c7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64db77b12b74f3d4f19b4d770aedbfcd3d8dc3ca1b6798c885a2c760181920c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/swagger/swagger-initializer.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 145393, "scanner": "repobility-threat-engine", "fingerprint": "14846a18d6c35ad4b0579033f0ba04b1c1689088bcdededb8c1d96cb66f23130", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|14846a18d6c35ad4b0579033f0ba04b1c1689088bcdededb8c1d96cb66f23130"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/api.js"}, "region": {"startLine": 230}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 145392, "scanner": "repobility-threat-engine", "fingerprint": "ef54de6f5607f2d8b2d28bfacbeb3acb2231a8fd86081b7d36abcba2a148022b", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(\"Token error detected, logging out user:\", errorMessage)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|public/js/api.js|22|console.log token error detected logging out user: errormessage"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/api.js"}, "region": {"startLine": 230}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 145389, "scanner": "repobility-threat-engine", "fingerprint": "2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 145385, "scanner": "repobility-threat-engine", "fingerprint": "b7c14669017ac17f4db12a528258a3816694f17f5dd761479089aa28c6c6fa10", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b7c14669017ac17f4db12a528258a3816694f17f5dd761479089aa28c6c6fa10"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 145379, "scanner": "repobility-threat-engine", "fingerprint": "4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 145374, "scanner": "repobility-threat-engine", "fingerprint": "92af23c733d01113d9820522ca2cfa5d65ce72571508b92f9b7aad61dd38be34", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|92af23c733d01113d9820522ca2cfa5d65ce72571508b92f9b7aad61dd38be34", "aggregated_count": 19}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 145373, "scanner": "repobility-threat-engine", "fingerprint": "cea0aa3c5fb96e20a82187e3d73c7820a8d2e0cd0b5df9d7a28a3291d8cc48de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cea0aa3c5fb96e20a82187e3d73c7820a8d2e0cd0b5df9d7a28a3291d8cc48de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/api.js"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 145372, "scanner": "repobility-threat-engine", "fingerprint": "36256c51bf57e86e7bd31ac62869eda65fbcb1b59962f1bad78a85e41d112e9e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|36256c51bf57e86e7bd31ac62869eda65fbcb1b59962f1bad78a85e41d112e9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/logger-api.js"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 145371, "scanner": "repobility-threat-engine", "fingerprint": "1b130b28829b7ec45c49a59699ef6a6e9069cbef77fb5400075edbe7feddd078", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1b130b28829b7ec45c49a59699ef6a6e9069cbef77fb5400075edbe7feddd078"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bump-version.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /terminal/porky/end has no auth: Express route POST /terminal/porky/end declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 145470, "scanner": "repobility-route-auth", "fingerprint": "0559196e7bd7efaa301b98226bd250333d16be72420062592e8db267a7224b58", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0559196e7bd7efaa301b98226bd250333d16be72420062592e8db267a7224b58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/v1/terminal.route.js"}, "region": {"startLine": 2228}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /terminal/porky/status has no auth: Express route POST /terminal/porky/status declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 145469, "scanner": "repobility-route-auth", "fingerprint": "d271b5c051f857b8a5f7073d25111b679889bb88baf435a8f1460f853f8910aa", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d271b5c051f857b8a5f7073d25111b679889bb88baf435a8f1460f853f8910aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/v1/terminal.route.js"}, "region": {"startLine": 2207}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /terminal/porky/message has no auth: Express route POST /terminal/porky/message declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 145468, "scanner": "repobility-route-auth", "fingerprint": "62f4ed6732e7c480d54d9a6915535c1818ec99cf655d37d7724e0ed506f855d7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|62f4ed6732e7c480d54d9a6915535c1818ec99cf655d37d7724e0ed506f855d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/v1/terminal.route.js"}, "region": {"startLine": 2185}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /terminal/porky/start has no auth: Express route POST /terminal/porky/start declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 145467, "scanner": "repobility-route-auth", "fingerprint": "61476dd5c927425c0d2a42227c3c34551579ea71ecb74750a21672c3b36232a2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|61476dd5c927425c0d2a42227c3c34551579ea71ecb74750a21672c3b36232a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/v1/terminal.route.js"}, "region": {"startLine": 2164}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /terminal/execute has no auth: Express route POST /terminal/execute declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 145466, "scanner": "repobility-route-auth", "fingerprint": "9e4a3df73ce31aaef542f800825f468204c538126abbe9487476662bd4bd8d5f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9e4a3df73ce31aaef542f800825f468204c538126abbe9487476662bd4bd8d5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/v1/terminal.route.js"}, "region": {"startLine": 2104}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /terminal/sync has no auth: Express route POST /terminal/sync declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 145465, "scanner": "repobility-route-auth", "fingerprint": "1ec7e1c371ecb829c6092b10ac2fdf6a48839001afc7c14729d4c5d8a8b18443", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|1ec7e1c371ecb829c6092b10ac2fdf6a48839001afc7c14729d4c5d8a8b18443"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/v1/terminal.route.js"}, "region": {"startLine": 2085}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 145464, "scanner": "repobility-route-auth", "fingerprint": "b6158f5ad9b960e3ea68216e7107f0cb3095730dca556eab5bad4ad9844137fe", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b6158f5ad9b960e3ea68216e7107f0cb3095730dca556eab5bad4ad9844137fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/contact.route.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /debug/database/restore-base has no auth: Express route POST /debug/database/restore-base declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 145463, "scanner": "repobility-route-auth", "fingerprint": "b328b934a144e2526fd2258e840ce718f101d7de98cc69817834405637eeadef", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b328b934a144e2526fd2258e840ce718f101d7de98cc69817834405637eeadef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/debug.route.js"}, "region": {"startLine": 52}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /terminal/scripts/:scriptId."}, "properties": {"repobilityId": 145430, "scanner": "repobility-access-control", "fingerprint": "cc4a00eafd145a24078347328747a983616867da0a042cbc3e203456e22294e0", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/terminal/scripts/:scriptId", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|routes/v1/terminal.route.js|2249|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/v1/terminal.route.js"}, "region": {"startLine": 2249}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 145412, "scanner": "repobility-threat-engine", "fingerprint": "bd69f93dea5902819ef18f0d5d8d086743bebc370531fe91ebf4e06f59d4c6fd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(exactPattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bd69f93dea5902819ef18f0d5d8d086743bebc370531fe91ebf4e06f59d4c6fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "services/docs.service.js"}, "region": {"startLine": 155}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 145410, "scanner": "repobility-threat-engine", "fingerprint": "1e3044c650df51d178400da04cb47361a28db259128cdee0813b997b8723cfff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post(\"/debug/database/restore-base\", async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1e3044c650df51d178400da04cb47361a28db259128cdee0813b997b8723cfff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/debug.route.js"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 145388, "scanner": "repobility-threat-engine", "fingerprint": "05343f966f36234da92550c5122190f6d76f826648821b0d1fbbebc7ad8ec07e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.update();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|05343f966f36234da92550c5122190f6d76f826648821b0d1fbbebc7ad8ec07e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/components/navigation.js"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 145387, "scanner": "repobility-threat-engine", "fingerprint": "1711a8ff70362171471461ad4bc2f45f8aa382b8e3ae54473b4eab8961566d3a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "props.update(areas[nazwa])", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1711a8ff70362171471461ad4bc2f45f8aa382b8e3ae54473b4eab8961566d3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/data/script-to-update-areas.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 145386, "scanner": "repobility-threat-engine", "fingerprint": "4c48d17a6e9808e708fa6d3008b4ab914dffefcf67b20a76a50c336709f6f085", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "loginAttempts.delete(clientId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c48d17a6e9808e708fa6d3008b4ab914dffefcf67b20a76a50c336709f6f085"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "middleware/rate-limit.middleware.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 145384, "scanner": "repobility-threat-engine", "fingerprint": "8f56f72eb540fe35f974297cd6e363af4bc0d4d38667e44311ea354816fdf5f4", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `\n      <div class=\"notification-header\">\n        <div class=\"notification-icon\">${icon", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8f56f72eb540fe35f974297cd6e363af4bc0d4d38667e44311ea354816fdf5f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/components/notification.js"}, "region": {"startLine": 161}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 145383, "scanner": "repobility-threat-engine", "fingerprint": "0b1ddd03d48d4a19aa1508456b28d963e39a2f45b436c90b773a5ef1ce9667c4", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `\n      <span class=\"nav__welcome\">\n        Welcome, <span class=\"nav__username\">${user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0b1ddd03d48d4a19aa1508456b28d963e39a2f45b436c90b773a5ef1ce9667c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/components/navigation.js"}, "region": {"startLine": 209}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 145382, "scanner": "repobility-threat-engine", "fingerprint": "242ff1ae6e5123ba5866a796dacf23a1c56717ef9c93158d982e000b3b26b823", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `${key}=\"${escapeLabelValue(value)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|242ff1ae6e5123ba5866a796dacf23a1c56717ef9c93158d982e000b3b26b823"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/prometheus-metrics.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 145378, "scanner": "repobility-threat-engine", "fingerprint": "b8cc4e1ad59171e43d2fdce5a9eff2e5ff88e4c6f2b015ece8bf4eb7976184c1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b8cc4e1ad59171e43d2fdce5a9eff2e5ff88e4c6f2b015ece8bf4eb7976184c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/api.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 145377, "scanner": "repobility-threat-engine", "fingerprint": "082607529cc4d6fdcac79a15542ffadef4c783a8e4f144eb67994e47ba0fc697", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|082607529cc4d6fdcac79a15542ffadef4c783a8e4f144eb67994e47ba0fc697"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "modules/notification-center/channels/webhook-dispatcher.js"}, "region": {"startLine": 191}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 145376, "scanner": "repobility-threat-engine", "fingerprint": "b88c968581d2b86d0c5a4807973b36855010ab569eb3bf4c8c4b29655a368e32", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b88c968581d2b86d0c5a4807973b36855010ab569eb3bf4c8c4b29655a368e32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/avatar-image.js"}, "region": {"startLine": 125}}}]}]}]}