{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /custom-skills/route."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /planner/push-to-cale"}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /planner/push-to-calendar/route."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 16.2% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 16.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 16.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /code/project/:id/zip/route."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /code/project/:id/zip/route."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/284"}, "properties": {"repository": "skalesapp/skales", "repoUrl": "https://github.com/skalesapp/skales", "branch": "main"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8867, "scanner": "repobility-journey-contract", "fingerprint": "790f6d26e18d140d0e167a314fe10e1c82c99074559021a40014e7c1866aa961", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/autopilot/interview", "correlation_key": "fp|790f6d26e18d140d0e167a314fe10e1c82c99074559021a40014e7c1866aa961", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/autopilot/page.tsx"}, "region": {"startLine": 382}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8866, "scanner": "repobility-journey-contract", "fingerprint": "2d7e3df9e73b6994d32260560f618cc17aae0888e04e1619e69c3a142a586c30", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/autopilot/interview", "correlation_key": "fp|2d7e3df9e73b6994d32260560f618cc17aae0888e04e1619e69c3a142a586c30", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/autopilot/page.tsx"}, "region": {"startLine": 366}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8865, "scanner": "repobility-journey-contract", "fingerprint": "9a3b4cb4e3e772cc028ca37e733a4d959e70b5915f9d0a3e9c9cf599a9094268", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/autopilot", "correlation_key": "fp|9a3b4cb4e3e772cc028ca37e733a4d959e70b5915f9d0a3e9c9cf599a9094268", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/autopilot/page.tsx"}, "region": {"startLine": 355}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8864, "scanner": "repobility-journey-contract", "fingerprint": "820f022b1d2d36c2e576d65233cd2eeea5527d37017732565b65f406f41723c4", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/autopilot", "correlation_key": "fp|820f022b1d2d36c2e576d65233cd2eeea5527d37017732565b65f406f41723c4", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/autopilot/page.tsx"}, "region": {"startLine": 346}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8863, "scanner": "repobility-journey-contract", "fingerprint": "257ccae0fd88689fbdd1f89bdb8e327f315640d752f6afdfa4d94b2cc6eceea0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/autopilot", "correlation_key": "fp|257ccae0fd88689fbdd1f89bdb8e327f315640d752f6afdfa4d94b2cc6eceea0", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/autopilot/page.tsx"}, "region": {"startLine": 334}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8862, "scanner": "repobility-journey-contract", "fingerprint": "b1a5445c6820b48c7df95f2fa0a9486b5d53a25abaf61a66d7d5b2fe1a1fe391", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/autopilot", "correlation_key": "fp|b1a5445c6820b48c7df95f2fa0a9486b5d53a25abaf61a66d7d5b2fe1a1fe391", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/autopilot/page.tsx"}, "region": {"startLine": 323}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8861, "scanner": "repobility-journey-contract", "fingerprint": "8b388ce0012342f642109c601fd756da34c3db81d3f81e00a3d52bfcecc22643", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/autopilot", "correlation_key": "fp|8b388ce0012342f642109c601fd756da34c3db81d3f81e00a3d52bfcecc22643", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/autopilot/page.tsx"}, "region": {"startLine": 265}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8860, "scanner": "repobility-journey-contract", "fingerprint": "3fb003142810cb13c76b2ccf81a6550751cad98b8c1013452dc41f8a22ab55f4", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/autopilot", "correlation_key": "fp|3fb003142810cb13c76b2ccf81a6550751cad98b8c1013452dc41f8a22ab55f4", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/autopilot/page.tsx"}, "region": {"startLine": 250}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8859, "scanner": "repobility-journey-contract", "fingerprint": "08164b06dedbfc34162282c7eaadc53a0a00715360252bf041884292259f3eca", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/autopilot", "correlation_key": "fp|08164b06dedbfc34162282c7eaadc53a0a00715360252bf041884292259f3eca", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/autopilot/page.tsx"}, "region": {"startLine": 239}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8858, "scanner": "repobility-journey-contract", "fingerprint": "e89b83c476960d6e985e36b487e3a016760cc7eb3fe3943e8d9d1522c933b708", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/autopilot", "correlation_key": "fp|e89b83c476960d6e985e36b487e3a016760cc7eb3fe3943e8d9d1522c933b708", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/autopilot/page.tsx"}, "region": {"startLine": 224}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8857, "scanner": "repobility-journey-contract", "fingerprint": "abe88d551e32c3429bfe2ffceb72331eb95fe82f9d8bc8a50485ff7aa65836e0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/system/open-folder", "correlation_key": "fp|abe88d551e32c3429bfe2ffceb72331eb95fe82f9d8bc8a50485ff7aa65836e0", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/autopilot/page.tsx"}, "region": {"startLine": 135}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8856, "scanner": "repobility-journey-contract", "fingerprint": "04bbd74e38f37c86a72a3acb894e9561b4ceb5d6c81724e5e2c20e2e6f36246b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/system/open-folder", "correlation_key": "fp|04bbd74e38f37c86a72a3acb894e9561b4ceb5d6c81724e5e2c20e2e6f36246b", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/autopilot/page.tsx"}, "region": {"startLine": 124}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8855, "scanner": "repobility-journey-contract", "fingerprint": "4d38468abcc863274d3bab674d0a247c0ce8d3149a001e12cb0b2a0d5a07dc0b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/file", "correlation_key": "fp|4d38468abcc863274d3bab674d0a247c0ce8d3149a001e12cb0b2a0d5a07dc0b", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/actions/browser-control.ts"}, "region": {"startLine": 609}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8854, "scanner": "repobility-journey-contract", "fingerprint": "9bfcaf426a49a7c2fa1b457533152cabdeddd7169be132b3f92c2e61493f455c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/file", "correlation_key": "fp|9bfcaf426a49a7c2fa1b457533152cabdeddd7169be132b3f92c2e61493f455c", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/actions/browser-control.ts"}, "region": {"startLine": 309}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 8853, "scanner": "repobility-journey-contract", "fingerprint": "759587b27560da3dba452cd503800e343753d213d8c627da243a9bc4cf3eab78", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/chat", "correlation_key": "fp|759587b27560da3dba452cd503800e343753d213d8c627da243a9bc4cf3eab78", "backend_endpoint_count": 80}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/discord-bot.js"}, "region": {"startLine": 71}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /custom-skills/route."}, "properties": {"repobilityId": 8851, "scanner": "repobility-access-control", "fingerprint": "924b50fd121fb7ec515a4ea284dce500428d9ac36061045f28be5954a511ca5f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/custom-skills/route", "method": "PATCH", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|34|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/custom-skills/route.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /custom-skills/route."}, "properties": {"repobilityId": 8850, "scanner": "repobility-access-control", "fingerprint": "d4a09c7449a3e90bf536d18bd6d4a4bc99d41c6e238f7c606737d8cdc8d1b311", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/custom-skills/route", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|24|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/custom-skills/route.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /custom-skills/route."}, "properties": {"repobilityId": 8849, "scanner": "repobility-access-control", "fingerprint": "4f0584320cfbf1dfc4a2446b1aeddf6157ae9cf824be92caee79f1af2fed49ba", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/custom-skills/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|18|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/custom-skills/route.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /casting/route."}, "properties": {"repobilityId": 8848, "scanner": "repobility-access-control", "fingerprint": "c7b2ca9484377d5878357a7ca7d56a16b0759094b0d633af9a406e588bae7c82", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/casting/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|106|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/casting/route.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /casting/route."}, "properties": {"repobilityId": 8847, "scanner": "repobility-access-control", "fingerprint": "dea6849dfce0f001abcd4e13d8700235333b82ce966d21c6ef69cbd707785b34", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/casting/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|35|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/casting/route.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /buddy-memory/route."}, "properties": {"repobilityId": 8846, "scanner": "repobility-access-control", "fingerprint": "90f69558c5a561208e7c951291fa54a57f96bb668974056d228c55c4c350a809", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/buddy-memory/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|64|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/buddy-memory/route.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /buddy-memory/route."}, "properties": {"repobilityId": 8845, "scanner": "repobility-access-control", "fingerprint": "11561163408a9220ad901c00d3fd370fcc4fbb66b2dcfb91b55d1d4c624a853a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/buddy-memory/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|52|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/buddy-memory/route.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /feedback/route."}, "properties": {"repobilityId": 8844, "scanner": "repobility-access-control", "fingerprint": "4015b9ff8534807a0369423bc975f795776b76c01dfba0802e43ddec344205ce", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/feedback/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|36|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/feedback/route.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /autonomous/route."}, "properties": {"repobilityId": 8843, "scanner": "repobility-access-control", "fingerprint": "cd69e54b8ce96cf898b9ed9f424dd2ca56f2d3938e84f0c531b940577c419254", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/autonomous/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|46|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/autonomous/route.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /autonomous/route."}, "properties": {"repobilityId": 8842, "scanner": "repobility-access-control", "fingerprint": "40f7a1dded3f5fd6a79cb112f7e7ad3277bb93d63ed5f3245d138117c8e5b63b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/autonomous/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|27|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/autonomous/route.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /planner/push-to-calendar/route."}, "properties": {"repobilityId": 8841, "scanner": "repobility-access-control", "fingerprint": "20f3d43dcdfaf7c339f63e6efcacf1aa3d26f6da38a616eac7bf90e282184c62", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/planner/push-to-calendar/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|3|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/planner/push-to-calendar/route.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/get/route."}, "properties": {"repobilityId": 8840, "scanner": "repobility-access-control", "fingerprint": "2dbd68dd5114641e47422836403ac41ab2255ed78ce545d04d62f7fbce45eea1", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings/get/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|30|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/settings/get/route.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 16.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 8836, "scanner": "repobility-access-control", "fingerprint": "10b5955db03898d7e8c2b2e657d6a22c6c14cfb519c1524ffdf2510aea74a7bf", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 80, "correlation_key": "fp|10b5955db03898d7e8c2b2e657d6a22c6c14cfb519c1524ffdf2510aea74a7bf", "auth_visible_percent": 16.2}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 8835, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8829, "scanner": "repobility-threat-engine", "fingerprint": "8aa84be291f0b4c6f4f2b5961c55416576d9a7fb9cffc50a46f833bc3c6a27d1", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8aa84be291f0b4c6f4f2b5961c55416576d9a7fb9cffc50a46f833bc3c6a27d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/discord-bot.js"}, "region": {"startLine": 165}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8828, "scanner": "repobility-threat-engine", "fingerprint": "ea24f96c52466b15f43b509d05fa936aa47b7124baafac691b2089421f604c61", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => { })", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea24f96c52466b15f43b509d05fa936aa47b7124baafac691b2089421f604c61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/whatsapp-bot.js"}, "region": {"startLine": 452}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8827, "scanner": "repobility-threat-engine", "fingerprint": "0e045757814a76e26aecedd976c7d35245df8af9795753184ea665c87b81d442", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0e045757814a76e26aecedd976c7d35245df8af9795753184ea665c87b81d442"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/telegram-bot.js"}, "region": {"startLine": 202}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 8822, "scanner": "repobility-agent-runtime", "fingerprint": "88b5e7dea88ddfe4551b7c850cb6fa45c18d75190c41db60c7af94a62254f4ee", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|88b5e7dea88ddfe4551b7c850cb6fa45c18d75190c41db60c7af94a62254f4ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/settings/page.tsx"}, "region": {"startLine": 1314}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 8821, "scanner": "repobility-agent-runtime", "fingerprint": "ec47df6efbde24da210c8f55730839337496098e40a72a62bd90f3b41102d38a", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|ec47df6efbde24da210c8f55730839337496098e40a72a62bd90f3b41102d38a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/custom-skills/page.tsx"}, "region": {"startLine": 1113}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 8820, "scanner": "repobility-agent-runtime", "fingerprint": "6e4cd63c60dda215c46d8be83e9bb3a8586508e7da05759538be1f5b5555e276", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|6e4cd63c60dda215c46d8be83e9bb3a8586508e7da05759538be1f5b5555e276"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/chat/page.tsx"}, "region": {"startLine": 3445}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 8819, "scanner": "repobility-agent-runtime", "fingerprint": "0459dcf61a773ed08fe48584ff4458047427f093ceccac0d9b0a8cc8dc0a0b6d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0459dcf61a773ed08fe48584ff4458047427f093ceccac0d9b0a8cc8dc0a0b6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/actions/computer-use.ts"}, "region": {"startLine": 304}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 8818, "scanner": "repobility-agent-runtime", "fingerprint": "ebe3270bf415b657d004186034020355435df9b34b94c5ff84031f3ea67e5352", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ebe3270bf415b657d004186034020355435df9b34b94c5ff84031f3ea67e5352"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "INSTALL-LINUX.md"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8817, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd15ab0371339492c66979e5c9b1993ff8728888da5215f804382d0e6dd90eab", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/web/src/app/api/custom-skills/fix/route.ts", "duplicate_line": 93, "correlation_key": "fp|bd15ab0371339492c66979e5c9b1993ff8728888da5215f804382d0e6dd90eab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/custom-skills/generate/route.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 8816, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 8852, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8833, "scanner": "repobility-threat-engine", "fingerprint": "22201e8a5d82aee191842aa8e3c40dc1b535c77e2d833403d086880b5b8abfd9", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('Failed to load secrets:', e)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|8|console.error failed to load secrets: e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/actions/secrets.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8832, "scanner": "repobility-threat-engine", "fingerprint": "82f64eec66d40e73e092ba3ca6a2ee9da8aacccead21d845e77cd508e1abdb99", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`[Skales] Chat \u2192 ${provider} (${providerConfig.model})", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|90|console.log skales chat provider providerconfig.model"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/actions/chat.ts"}, "region": {"startLine": 906}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8831, "scanner": "repobility-threat-engine", "fingerprint": "d5648708dcb6f0861709142134bae0000f128211574f6d41500d8ca32088474c", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`[Skales Vision] Ollama: active model \"${currentModel}\" is not vision-capable \u2192 switchin", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|485|console.log skales vision ollama: active model currentmodel is not vision-capable switchin"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/actions/orchestrator.ts"}, "region": {"startLine": 4851}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 8830, "scanner": "repobility-threat-engine", "fingerprint": "75f18ac8b864166e25602abf2173bf612fdf43d808a54fd30a961602a93d8693", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|75f18ac8b864166e25602abf2173bf612fdf43d808a54fd30a961602a93d8693"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 8826, "scanner": "repobility-threat-engine", "fingerprint": "8ee066dca3ffafc9f8db45d10494445122e6c388ca30666d89cef29694127e3c", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8ee066dca3ffafc9f8db45d10494445122e6c388ca30666d89cef29694127e3c"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 8825, "scanner": "repobility-threat-engine", "fingerprint": "ea4fbe18ce834d452b20e2c564e33df0b94604a86119b906fa539e8e9a55aad0", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|364|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/actions/email.ts"}, "region": {"startLine": 364}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 8824, "scanner": "repobility-threat-engine", "fingerprint": "a0683f40fc0eee7820dbb4b3f0ee1b7645dfd9e7fc8e4522d29db7148fe357f6", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|apps/web/telegram-bot.js|1062|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/telegram-bot.js"}, "region": {"startLine": 1062}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 8823, "scanner": "repobility-threat-engine", "fingerprint": "4aacc0f471f7771262ffb8e3289b35bc11c0aae02174a540cd4cf5ab559d8d5b", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|electron/main.js|690|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "electron/main.js"}, "region": {"startLine": 690}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 8875, "scanner": "repobility-journey-contract", "fingerprint": "da5089623226db32aa8d04f310e16ad3f4fc323842c8bc02b777084b1d830b74", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|5769|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/settings/page.tsx"}, "region": {"startLine": 5769}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 8874, "scanner": "repobility-journey-contract", "fingerprint": "940171af55ed65732d26f4ce0808d7ca728b17d789b669ca67f2482a51ce0066", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|4746|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/settings/page.tsx"}, "region": {"startLine": 4746}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 8873, "scanner": "repobility-journey-contract", "fingerprint": "5c20f9aa496eba0ddb992abb8eb477bc86b2c165e9e8a9eb33f77f82b59cb04d", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|4233|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/settings/page.tsx"}, "region": {"startLine": 4233}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 8872, "scanner": "repobility-journey-contract", "fingerprint": "897b3be228e666fd1e536b84ffcb297cb701aee5552a50258be33acbc1c9dd9e", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|4119|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/settings/page.tsx"}, "region": {"startLine": 4119}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 8871, "scanner": "repobility-journey-contract", "fingerprint": "8c45c855be8cdad1acba2ab39bc937f5c3e11ff95e6950585e81a2596eb4dfb1", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|3451|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/settings/page.tsx"}, "region": {"startLine": 3451}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 8870, "scanner": "repobility-journey-contract", "fingerprint": "00c09011ba1a86dfe9927aa69f6e40a848a46b5154085e8c52fee623f37585a4", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|3090|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/settings/page.tsx"}, "region": {"startLine": 3090}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 8869, "scanner": "repobility-journey-contract", "fingerprint": "255f90c120f678b1e483288be8e1ed37b647d6f9484f809a4b7aed98fbf03dae", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|3064|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/settings/page.tsx"}, "region": {"startLine": 3064}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 8868, "scanner": "repobility-journey-contract", "fingerprint": "59033b4f7899215bd7a5bc353657de94a4d5700b1612d6f46fd74b7a2578e0a4", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|524|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/bootstrap/page.tsx"}, "region": {"startLine": 524}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /code/project/:id/zip/route."}, "properties": {"repobilityId": 8839, "scanner": "repobility-access-control", "fingerprint": "8ebc55a3fa71aa2bc531cddb8eefc3da113f6a4ac80ac2db0b5b9e9bb38f94c8", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/code/project/:id/zip/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / id /zip/route.ts|13|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/code/project/[id]/zip/route.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /code/project/:id/deploy-config/route."}, "properties": {"repobilityId": 8838, "scanner": "repobility-access-control", "fingerprint": "637945215299d692d6127a69d9da9b46ae86443b7865f02b7c2af4c78ea3e708", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/code/project/:id/deploy-config/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / id /deploy-config/route.ts|40|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/code/project/[id]/deploy-config/route.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /code/preview/:id/:...filepath/route."}, "properties": {"repobilityId": 8837, "scanner": "repobility-access-control", "fingerprint": "8b0e0b062620b76216765648a19492de93ec1b0e358461359ba5b1cb7bfbb03f", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/code/preview/:id/:...filepath/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / id / ...filepath /route.ts|24|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/api/code/preview/[id]/[...filepath]/route.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 8834, "scanner": "repobility-threat-engine", "fingerprint": "8a1f751f12598f50b8b25b5aed855ea6b97979504de3125cd52c60b08aff591b", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(false); setQuery", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|340|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/web/src/app/buddy/page.tsx"}, "region": {"startLine": 340}}}]}]}]}