{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Intervals created in React hooks or components should be cleared on unmount. Missing cleanup can keep stale callbacks alive after recording, polling, or overlay components close."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 523 lines (recommend <300)", "shortDescription": {"text": "Average file size is 523 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC010", "name": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.", "shortDescription": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "fullDescription": {"text": "Remove immediately and rotate the token. Use environment variables."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "A frontend journey appears to ask for consent to share identity/KYC/biometric data, but backend code does not show a consent audit model with scope, purpose, legal text version, timestamp, IP, or user-agent evidence."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKC002", "name": "Compose service uses host networking", "shortDescription": {"text": "Compose service uses host networking"}, "fullDescription": {"text": "Sharing host namespaces reduces isolation and can expose host processes, networking, or IPC resources."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage runs as root", "shortDescription": {"text": "Docker final stage runs as root"}, "fullDescription": {"text": "The final runtime stage explicitly uses root. A compromised app process would have root inside the container."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "A frontend flow appears to combine a caller-controlled callback/redirect parameter with a token-bearing URL or fragment. This can exfiltrate sessions when callback validation is incomplete."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/320"}, "properties": {"repository": "qingchencloud/clawpanel", "repoUrl": "https://github.com/qingchencloud/clawpanel", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 10248, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 10247, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 10232, "scanner": "repobility-threat-engine", "fingerprint": "2a21b49496f351519740fbed34aa1d8ade1a3c6163ce87aa794573b51a4b0b1c", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "Password = '<redacted>'", "reason": "Low entropy value (2.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|src/pages/security.js|2|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/security.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 10231, "scanner": "repobility-threat-engine", "fingerprint": "d3d1eba063a6d1e4fb1ad6665120d297c46f043e4b173257e393e89f92a242d9", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "Password = '<redacted>'", "reason": "Low entropy value (2.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|scripts/dev-api.js|904|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/dev-api.js"}, "region": {"startLine": 9046}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 10229, "scanner": "repobility-threat-engine", "fingerprint": "6ca8301b825ee901c8b26918547068b266a1243825bb7d524e7c3f949f5ad638", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6ca8301b825ee901c8b26918547068b266a1243825bb7d524e7c3f949f5ad638"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/push-sw.js"}, "region": {"startLine": 62}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 10228, "scanner": "repobility-threat-engine", "fingerprint": "bbecc5ca4ea3cb7dbad973d271f56fdc85c26fbe8ead0109041afda80b96f502", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bbecc5ca4ea3cb7dbad973d271f56fdc85c26fbe8ead0109041afda80b96f502"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/router.js"}, "region": {"startLine": 52}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 10227, "scanner": "repobility-threat-engine", "fingerprint": "30ddbf94e0a0fe4c44f883a9400eb030242e88853c791d03abf9160958dbac27", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|30ddbf94e0a0fe4c44f883a9400eb030242e88853c791d03abf9160958dbac27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main.js"}, "region": {"startLine": 421}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10216, "scanner": "repobility-agent-runtime", "fingerprint": "f99679b215cf335d205bb896dce2b1583c534f3040dc4316b0bdb0740141b724", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|f99679b215cf335d205bb896dce2b1583c534f3040dc4316b0bdb0740141b724"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/dashboard.js"}, "region": {"startLine": 880}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10215, "scanner": "repobility-agent-runtime", "fingerprint": "52cf5eb5d11ab746723c7966b4cb038956a3bfef1c3c431af9faaed61d100b4e", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|52cf5eb5d11ab746723c7966b4cb038956a3bfef1c3c431af9faaed61d100b4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/i18n.js"}, "region": {"startLine": 71}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10214, "scanner": "repobility-agent-runtime", "fingerprint": "d53fcd34f2409c2552563c235b7ecf6dcc78ab438c45547b5a51e6c8a2118ece", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|d53fcd34f2409c2552563c235b7ecf6dcc78ab438c45547b5a51e6c8a2118ece"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/ciao-bug-warning.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10213, "scanner": "repobility-agent-runtime", "fingerprint": "440db146d1bd935e762751874e0076f301192cd6fcd8440fe29e50d28360ebcd", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|440db146d1bd935e762751874e0076f301192cd6fcd8440fe29e50d28360ebcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/engines/hermes/lib/chat-store.js"}, "region": {"startLine": 72}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10212, "scanner": "repobility-agent-runtime", "fingerprint": "5bb0c3b8ea2802a83e060a1702329a32ab3e8f41326bf6d0258b82fc74bbb443", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|5bb0c3b8ea2802a83e060a1702329a32ab3e8f41326bf6d0258b82fc74bbb443"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/sidebar.js"}, "region": {"startLine": 183}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10211, "scanner": "repobility-agent-runtime", "fingerprint": "9afb3bd319ce6f5b59b451e22b41d04e92beaee144f88be88485f593cb0723be", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|9afb3bd319ce6f5b59b451e22b41d04e92beaee144f88be88485f593cb0723be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/cli-conflict-banner.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10210, "scanner": "repobility-agent-runtime", "fingerprint": "a7d23c42dabea0b6b7aa313657565fc2f90814d9045ba3dd9f7bd34f2aa3a181", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|a7d23c42dabea0b6b7aa313657565fc2f90814d9045ba3dd9f7bd34f2aa3a181"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/ai-drawer.js"}, "region": {"startLine": 208}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 10209, "scanner": "repobility-agent-runtime", "fingerprint": "053135f759a8209efdb9f009fb44a2fbd8db9befbc3dab4e7aa214626ee03c98", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|053135f759a8209efdb9f009fb44a2fbd8db9befbc3dab4e7aa214626ee03c98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/dev-api.js"}, "region": {"startLine": 9060}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 10208, "scanner": "repobility-agent-runtime", "fingerprint": "e14ccff46afb6e760e9fdf2149365143ce30263245ad4e8610f1296a68b05b33", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|e14ccff46afb6e760e9fdf2149365143ce30263245ad4e8610f1296a68b05b33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 375}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 10207, "scanner": "repobility-agent-runtime", "fingerprint": "7f022f1c5210372b9f54b44d6c5bd547e1d25a7617a6a828beab2abcf8af75f4", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7f022f1c5210372b9f54b44d6c5bd547e1d25a7617a6a828beab2abcf8af75f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.zh-TW.md"}, "region": {"startLine": 105}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 10206, "scanner": "repobility-agent-runtime", "fingerprint": "3f9172159f4c1330a656561f3654ef8a2a337a5bc54cea62e3d269f2dd59334a", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|3f9172159f4c1330a656561f3654ef8a2a337a5bc54cea62e3d269f2dd59334a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.vi.md"}, "region": {"startLine": 105}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 10205, "scanner": "repobility-agent-runtime", "fingerprint": "0b0918e18b368c1211ba14b93c8d1cbffa2283b68afeb3e4f7e7022660c3df2f", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0b0918e18b368c1211ba14b93c8d1cbffa2283b68afeb3e4f7e7022660c3df2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.ru.md"}, "region": {"startLine": 105}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 10204, "scanner": "repobility-agent-runtime", "fingerprint": "01ae4e4234136ae41c6bd2eb909dc68faf635af07d08d519e836c1fa61bd4729", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|01ae4e4234136ae41c6bd2eb909dc68faf635af07d08d519e836c1fa61bd4729"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.pt.md"}, "region": {"startLine": 105}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 10203, "scanner": "repobility-agent-runtime", "fingerprint": "5c337bb4e93f605139b9ba34695039c1b5f72120c0fda76fe895c41ade929789", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5c337bb4e93f605139b9ba34695039c1b5f72120c0fda76fe895c41ade929789"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 202}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 10202, "scanner": "repobility-agent-runtime", "fingerprint": "820a91d19954ab3c2892a04a72a862fbe6406890cba18a5b90852d8bf824aaf0", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|820a91d19954ab3c2892a04a72a862fbe6406890cba18a5b90852d8bf824aaf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.ko.md"}, "region": {"startLine": 105}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 10201, "scanner": "repobility-agent-runtime", "fingerprint": "1d02734a78a1ed45957f3e54f69ee34d4d202c420011e84a45ba5afaeb2afffa", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|1d02734a78a1ed45957f3e54f69ee34d4d202c420011e84a45ba5afaeb2afffa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.ja.md"}, "region": {"startLine": 105}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 10200, "scanner": "repobility-agent-runtime", "fingerprint": "8ee03a13583e1e56f678cb0c63c00f0136672517d20ac48c374ed637cea27370", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8ee03a13583e1e56f678cb0c63c00f0136672517d20ac48c374ed637cea27370"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.fr.md"}, "region": {"startLine": 105}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 10199, "scanner": "repobility-agent-runtime", "fingerprint": "cdf7eae597acc58b68be83fa73950ba45ee9ed55c23b4773008ea77ed6fd4f5d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|cdf7eae597acc58b68be83fa73950ba45ee9ed55c23b4773008ea77ed6fd4f5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.es.md"}, "region": {"startLine": 105}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 10198, "scanner": "repobility-agent-runtime", "fingerprint": "cea9cb4e0a69403f070215f55b5c33c6ee7c88cdb61dba07b6e3bcef6b1ec6f0", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|cea9cb4e0a69403f070215f55b5c33c6ee7c88cdb61dba07b6e3bcef6b1ec6f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.en.md"}, "region": {"startLine": 129}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 10197, "scanner": "repobility-agent-runtime", "fingerprint": "60a24b8a75ad7473657ee3116fd00b5cf3567c790cfc8790749e5c22c97c48dd", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|60a24b8a75ad7473657ee3116fd00b5cf3567c790cfc8790749e5c22c97c48dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.de.md"}, "region": {"startLine": 105}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 10196, "scanner": "repobility-agent-runtime", "fingerprint": "4dabb6803873783fcd86e3c55019cf23f851b38e9e9a579606217d58fa62374d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|4dabb6803873783fcd86e3c55019cf23f851b38e9e9a579606217d58fa62374d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CONTRIBUTING.md"}, "region": {"startLine": 462}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10195, "scanner": "repobility-ai-code-hygiene", "fingerprint": "afe28865352b8c96aed9f3224b1f58293b3cc949951afc5d926169863ded68ca", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/gateway-ownership.js", "duplicate_line": 19, "correlation_key": "fp|afe28865352b8c96aed9f3224b1f58293b3cc949951afc5d926169863ded68ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/settings.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10194, "scanner": "repobility-ai-code-hygiene", "fingerprint": "75210511e156e9aec59e1553767ccb0427bcfbd15ba27170de01f213ff1126a1", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/lib/gateway-ownership.js", "duplicate_line": 19, "correlation_key": "fp|75210511e156e9aec59e1553767ccb0427bcfbd15ba27170de01f213ff1126a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/dashboard.js"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10193, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca1455c8c8fdacfecc4eba8803d868d86b2484704fe6c0bbee02d1ca74687aa6", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/engines/hermes/pages/kanban.js", "duplicate_line": 14, "correlation_key": "fp|ca1455c8c8fdacfecc4eba8803d868d86b2484704fe6c0bbee02d1ca74687aa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/engines/hermes/pages/profiles.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10192, "scanner": "repobility-ai-code-hygiene", "fingerprint": "857bdb250f5b059ced3db4fea366108e1ee1a21743e1a6d4586f0c289becda2a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/engines/hermes/pages/kanban.js", "duplicate_line": 14, "correlation_key": "fp|857bdb250f5b059ced3db4fea366108e1ee1a21743e1a6d4586f0c289becda2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/engines/hermes/pages/oauth.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 10191, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5b9e19bb8ef86f71202163a25447dd3f69b6b408298b79c6eeaab847de2b0b9d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/components/floor-blocker.js", "duplicate_line": 47, "correlation_key": "fp|5b9e19bb8ef86f71202163a25447dd3f69b6b408298b79c6eeaab847de2b0b9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/kernel-badge.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 523 lines (recommend <300)"}, "properties": {"repobilityId": 10190, "scanner": "repobility-core", "fingerprint": "5e6e94777202e6ee9a8777b2c2465d3193214fb12b558ec3714f8d7240c2cef0", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|5e6e94777202e6ee9a8777b2c2465d3193214fb12b558ec3714f8d7240c2cef0"}}}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 10246, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 10245, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 10244, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 10243, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 10237, "scanner": "repobility-docker", "fingerprint": "b71f7e7dac719103b5ceb9e804638d2bededf8aa29e32485d7b076d0e9f9f35a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "clawpanel", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b71f7e7dac719103b5ceb9e804638d2bededf8aa29e32485d7b076d0e9f9f35a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 10235, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 10221, "scanner": "repobility-threat-engine", "fingerprint": "259bb877fc9d9cfaccc228d11dce0a59cf83b2461ee0e30ff094a3e77c56af07", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|src/pages/settings.js|70|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/settings.js"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 10220, "scanner": "repobility-threat-engine", "fingerprint": "367a5318cc8d75b117cccc4d86fd1c0e95dcf4965eb5bc986c4ca61b50341a78", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|src/router.js|66|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/router.js"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 10219, "scanner": "repobility-threat-engine", "fingerprint": "a9052aad1926dde276f8e5ddbb9c4085afb9641c8a2ba2560c20653e4dbfb86f", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|src/main.js|101|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main.js"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC010", "level": "none", "message": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "properties": {"repobilityId": 10233, "scanner": "repobility-threat-engine", "fingerprint": "f7de02134a4c47325aee90c137ecfe35c56dca1c8fc762ec0f556e62da49d41d", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Form field or UI element reference", "evidence": {"match": "xoxb-xxxxxxxxxxxx", "reason": "Form field or UI element reference", "rule_id": "SEC010", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|src/pages/channels.js|14|xoxb-xxxxxxxxxxxx"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/channels.js"}, "region": {"startLine": 142}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 10230, "scanner": "repobility-threat-engine", "fingerprint": "919d245e9431d20981d4b8a7f4317c5fe82f5332b30941094c73042962d68c74", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|919d245e9431d20981d4b8a7f4317c5fe82f5332b30941094c73042962d68c74"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 10226, "scanner": "repobility-threat-engine", "fingerprint": "7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10225, "scanner": "repobility-threat-engine", "fingerprint": "889fa931e05b3c8b54668072e76ba8dfc32a81f9ba06e61919dffd2fc2cb9986", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|25|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/engines/hermes/pages/group-chat.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10224, "scanner": "repobility-threat-engine", "fingerprint": "851c23f165c151897f0bb7c1e8211f55b5996b56809955430c44160481b17aea", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|src/pages/assistant.js|1040|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/assistant.js"}, "region": {"startLine": 1040}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10223, "scanner": "repobility-threat-engine", "fingerprint": "7fd0aad15460ba11347494761e05710d1841f3da9f25fdca26b8c29e98318e0a", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|src/main.js|173|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main.js"}, "region": {"startLine": 173}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 57 more): Same pattern found in 57 additional files. Review if needed."}, "properties": {"repobilityId": 10222, "scanner": "repobility-threat-engine", "fingerprint": "8374a107d6b2023b6f0da56309ad3fe3e7ca2320b6f79f782631e8af062f8f9e", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 57 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 57 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8374a107d6b2023b6f0da56309ad3fe3e7ca2320b6f79f782631e8af062f8f9e"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 10218, "scanner": "repobility-threat-engine", "fingerprint": "31e8cfba2e1ab29c68434ba1fd3028de54c34ec772955a53fb71e84564434ddb", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.warn(`[hermes guardian] patched config.yaml (api_server.enabled)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|scripts/dev-api.js|771|console.warn hermes guardian patched config.yaml api_server.enabled"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/dev-api.js"}, "region": {"startLine": 7719}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 10242, "scanner": "repobility-journey-contract", "fingerprint": "14d720984654489788f5e6fde71ef1b185035f3676e5474ab18cbc8b576d720d", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/pages/gateway.js|168|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/gateway.js"}, "region": {"startLine": 168}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 10241, "scanner": "repobility-journey-contract", "fingerprint": "e3548e5d199b2c33a95513d7b718e69673e4d93095a5b1603799b7381d6fec1d", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/pages/assistant.js|4054|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/assistant.js"}, "region": {"startLine": 4054}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 10240, "scanner": "repobility-journey-contract", "fingerprint": "927317aa501a9a3c5c41ec58d9433409d594084db6cd8bdc1866d2c9ba1b16e0", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/pages/assistant.js|3797|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pages/assistant.js"}, "region": {"startLine": 3797}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 10239, "scanner": "repobility-journey-contract", "fingerprint": "a746103e30d9e6951020ec33ccaade321d7757285c6661176a3d7477b9f95a9d", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|src/lib/error-diagnosis.js|25|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/error-diagnosis.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 10236, "scanner": "repobility-docker", "fingerprint": "c91de3ad6da94591ba7ee1768c5e2ec7385df26f06c01c23d1ced4a5bb4da9b7", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "clawpanel", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c91de3ad6da94591ba7ee1768c5e2ec7385df26f06c01c23d1ced4a5bb4da9b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 10234, "scanner": "repobility-docker", "fingerprint": "c73b160140094ea56b32331607b18bf33dfeca1bbd00f1514584527d61dcafca", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c73b160140094ea56b32331607b18bf33dfeca1bbd00f1514584527d61dcafca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 10217, "scanner": "repobility-threat-engine", "fingerprint": "f5379334bb2d258c49de24753b23f2f1fb676f609cc3991752396bd534e801ab", "category": "credential_exposure", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Console output includes a credential-bearing template expression.", "evidence": {"match": "console.log(`[main] WebSocket \u8fde\u63a5\u5df2\u542f\u52a8 -> ${host}${password ? ' (password mode)", "reason": "Console output includes a credential-bearing template expression.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.92, "correlation_key": "secret|src/main.js|64|console.log main websocket - host password password mode"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main.js"}, "region": {"startLine": 649}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 10238, "scanner": "repobility-journey-contract", "fingerprint": "53db7ad286a11006d58f166c8d8362772fa70857618cad6f0a122ab3a04f470c", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/lib/ws-client.js|159|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/lib/ws-client.js"}, "region": {"startLine": 159}}}]}]}]}