{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Dockerfile base image uses the latest tag", "shortDescription": {"text": "Dockerfile base image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `collect_cleanup_manifest` has cognitive complexity 17 (SonarSource scale)", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `collect_cleanup_manifest` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, an"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 17."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 825 lines (recommend <300)", "shortDescription": {"text": "Average file size is 825 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_README", "name": "No README file found", "shortDescription": {"text": "No README file found"}, "fullDescription": {"text": "Create a README.md with: project name and description, installation instructions, usage examples, configuration options, and contribution guidelines."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED080", "name": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace.", "shortDescription": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `tools/worldbuilder/__pycache__/importer.cpython-310.pyc` committed in source repo: `tools/worldb", "shortDescription": {"text": "[MINED134] Binary file `tools/worldbuilder/__pycache__/importer.cpython-310.pyc` committed in source repo: `tools/worldbuilder/__pycache__/importer.cpython-310.pyc` is a .pyc binary (8,334 bytes) committed to a repo that otherwise has 537 s"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. Th", "shortDescription": {"text": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images sh"}, "fullDescription": {"text": "Replace with: `FROM alpine:latest@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_compiler: Test function `test_compiler` runs code but contains no assert / expect", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_compiler: Test function `test_compiler` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.send` used but never assigned in __init__: Method `disconnect` of class `MuxConnection` reads `self.sen", "shortDescription": {"text": "[MINED108] `self.send` used but never assigned in __init__: Method `disconnect` of class `MuxConnection` reads `self.send`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time "}, "fullDescription": {"text": "Initialize `self.send = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`", "shortDescription": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import queue` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/965"}, "properties": {"repository": "brazilofmux/tinymux", "repoUrl": "https://github.com/brazilofmux/tinymux", "branch": "master"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 90618, "scanner": "repobility-ast-engine", "fingerprint": "3d3e4980264c357bf5e3f81dc0f929530ed23701c30c49dfe0e7c724782fa433", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3d3e4980264c357bf5e3f81dc0f929530ed23701c30c49dfe0e7c724782fa433"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/live_adapter.py"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 90611, "scanner": "repobility-ast-engine", "fingerprint": "bb9366468a92bc3a9d45b18133c7a9317196ab0ec975195c0ae3d1f9a6f24d75", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bb9366468a92bc3a9d45b18133c7a9317196ab0ec975195c0ae3d1f9a6f24d75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_diff_v3.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 90606, "scanner": "repobility-ast-engine", "fingerprint": "243dfd9fe939e3fecb17c59845ae8f666a200b869f401c7566d6bf7a2d414c2e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|243dfd9fe939e3fecb17c59845ae8f666a200b869f401c7566d6bf7a2d414c2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/migrate.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 90587, "scanner": "repobility-ast-engine", "fingerprint": "c144aeb79426451e64b002efee1776d3b837aea630b95a21dafd96d685ec60c0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c144aeb79426451e64b002efee1776d3b837aea630b95a21dafd96d685ec60c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/worldbuilder.py"}, "region": {"startLine": 928}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 90585, "scanner": "repobility-docker", "fingerprint": "318fc6344de320be70b9204ca5d54bc4ae5e96976538602c7c0d1c348e4c5d83", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|318fc6344de320be70b9204ca5d54bc4ae5e96976538602c7c0d1c348e4c5d83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/tinymux/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 90584, "scanner": "repobility-docker", "fingerprint": "696862c62cfb94fd8ea8b40b9d2c272da5630a0bc0444f03e2dad2e7c8a321a3", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "alpine:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|696862c62cfb94fd8ea8b40b9d2c272da5630a0bc0444f03e2dad2e7c8a321a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/tinymux/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 90583, "scanner": "repobility-docker", "fingerprint": "579c3f95e38fb44d0d22dffd56ec1b1258d39c0a2bd401b074e8077a50aa240c", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "alpine:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|579c3f95e38fb44d0d22dffd56ec1b1258d39c0a2bd401b074e8077a50aa240c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/tinymux/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 90582, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 90581, "scanner": "repobility-docker", "fingerprint": "806771c965307a761df0565c79e8ff809cda631a35bf68563316465f9e146897", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "tinymux:2.13.0.11", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|806771c965307a761df0565c79e8ff809cda631a35bf68563316465f9e146897"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/AnonymousMUX/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 90580, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "mux/game/data/netmux.db", "size_mb": 0.1}, {"path": "docker/AnonymousMUX/game/data/netmux.db", "size_mb": 0.1}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 90579, "scanner": "repobility-agent-runtime", "fingerprint": "77a0e4c7b087a2902058da60bab827aad355ef59c78c13d3f79703b89a51538f", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|77a0e4c7b087a2902058da60bab827aad355ef59c78c13d3f79703b89a51538f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/web/js/settings.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `collect_cleanup_manifest` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=6, if=3, nested_bonus=7."}, "properties": {"repobilityId": 90545, "scanner": "repobility-threat-engine", "fingerprint": "c0ef811fd6731beef9d14ef6c151141bf5e11e61c01ff369aa269ff92a4a4440", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 17 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "collect_cleanup_manifest", "breakdown": {"if": 3, "for": 6, "continue": 1, "nested_bonus": 7}, "complexity": 17, "correlation_key": "fp|c0ef811fd6731beef9d14ef6c151141bf5e11e61c01ff369aa269ff92a4a4440"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "testcases/tools/generate_smoke_suite.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 20 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, for=4, if=6, nested_bonus=9."}, "properties": {"repobilityId": 90544, "scanner": "repobility-threat-engine", "fingerprint": "cbab0b1a45216650ebcc460fc5e574809409430e76f3531b8e9e09d21448b744", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 20 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 6, "for": 4, "continue": 1, "nested_bonus": 9}, "complexity": 20, "correlation_key": "fp|cbab0b1a45216650ebcc460fc5e574809409430e76f3531b8e9e09d21448b744"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/win32gui/validate_vcxproj.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 90542, "scanner": "repobility-threat-engine", "fingerprint": "07d0a32ba06c54316300a28039997e25f046719911c0495a502ba8e6ec36c9a2", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|127|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/modules/engine/lua_mod.h"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 90540, "scanner": "repobility-threat-engine", "fingerprint": "d91ee35b38ba3b08a26636f500bfe58bb4d820e9b451f19a826d4ca80e4be5b4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|client/web/js/triggers.js|50|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/web/js/triggers.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 90539, "scanner": "repobility-threat-engine", "fingerprint": "84d1f5d5ae95d2ae25d0f27bdffb7b910daadbc29eb516aa12081dc064ad3bc3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "try:\n        spec = parse_spec(migration_path)\n    except Exception as e:\n        return None", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|84d1f5d5ae95d2ae25d0f27bdffb7b910daadbc29eb516aa12081dc064ad3bc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/migrate.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 90538, "scanner": "repobility-threat-engine", "fingerprint": "5c8eb45051a0a673489460338a11136d21815586c442800bbd607b7397b28af1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch(e) { return null; }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5c8eb45051a0a673489460338a11136d21815586c442800bbd607b7397b28af1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/web/js/spawns.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 90535, "scanner": "repobility-threat-engine", "fingerprint": "04cd0778d7e8d09639b4bae4520f6121f03409dc6fc0f1998c50b2bdb6a6c2bb", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|04cd0778d7e8d09639b4bae4520f6121f03409dc6fc0f1998c50b2bdb6a6c2bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/web/js/triggers.js"}, "region": {"startLine": 73}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 90534, "scanner": "repobility-threat-engine", "fingerprint": "e5243273bbc178c933c2c7ce2ed836c5f504c60b94d3cf9127c3174c9294fc9d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e5243273bbc178c933c2c7ce2ed836c5f504c60b94d3cf9127c3174c9294fc9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/web/js/settings.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 825 lines (recommend <300)"}, "properties": {"repobilityId": 90526, "scanner": "repobility-core", "fingerprint": "9170719a8f33bd161ee19d75b4fbb006b171803dd71d749631d2251490a5709a", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|9170719a8f33bd161ee19d75b4fbb006b171803dd71d749631d2251490a5709a"}}}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 90525, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "CORE_NO_README", "level": "warning", "message": {"text": "No README file found"}, "properties": {"repobilityId": 90523, "scanner": "repobility-core", "fingerprint": "b55c73163757fe6b2364bb829fcd26e87b9d9e7b367dd2a3307a814b02b29cbd", "category": "documentation", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_README", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_readme"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90578, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa17888e9317af8620d76b3e3726f68984ce7170672528b1a75e3bea9745eb92", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/modules/engine/ast_scan.cpp", "duplicate_line": 417, "correlation_key": "fp|fa17888e9317af8620d76b3e3726f68984ce7170672528b1a75e3bea9745eb92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "testcases/tools/unformat.c"}, "region": {"startLine": 332}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90577, "scanner": "repobility-ai-code-hygiene", "fingerprint": "08a056da5a6e99514201d82840e6d8cfd4ca4e339821bdc5689d2cdf05b8302a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/modules/engine/art_scan.cpp", "duplicate_line": 397, "correlation_key": "fp|08a056da5a6e99514201d82840e6d8cfd4ca4e339821bdc5689d2cdf05b8302a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "testcases/tools/unformat.c"}, "region": {"startLine": 327}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90576, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ae08ce910ab44d3dbce2f5cdbfcbb68777fba856183f4a27e0c8fb5f102759af", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/include/unicode_tables_c.h", "duplicate_line": 1, "correlation_key": "fp|ae08ce910ab44d3dbce2f5cdbfcbb68777fba856183f4a27e0c8fb5f102759af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ragel/unicode_tables.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90575, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8c78af2f4ef77d52970ac386bf229ca587865eb329ab3253f77507f3425b3ca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "parser/parse.cpp", "duplicate_line": 1, "correlation_key": "fp|f8c78af2f4ef77d52970ac386bf229ca587865eb329ab3253f77507f3425b3ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "parser/tokenize.cpp"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90574, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c14c6d7f677e708c892eab89bb95ab07c5b56a629899319c6117b6c7a8b71a4a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/modules/comsys/comsys_mod.h", "duplicate_line": 122, "correlation_key": "fp|c14c6d7f677e708c892eab89bb95ab07c5b56a629899319c6117b6c7a8b71a4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/modules/mail/mail_mod.h"}, "region": {"startLine": 174}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90573, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f93b59e64095e269fc921e929b9f64528cbd939c7c5e66c8ec8c0ae9d635ef1f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/modules/engine/quota.cpp", "duplicate_line": 111, "correlation_key": "fp|f93b59e64095e269fc921e929b9f64528cbd939c7c5e66c8ec8c0ae9d635ef1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/modules/engine/wiz.cpp"}, "region": {"startLine": 151}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90572, "scanner": "repobility-ai-code-hygiene", "fingerprint": "de201489306533ed9a56e2aa3492c6ba4848ad43b02a5eecef520d1be5b96b16", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/modules/comsys/comsys_mod.h", "duplicate_line": 122, "correlation_key": "fp|de201489306533ed9a56e2aa3492c6ba4848ad43b02a5eecef520d1be5b96b16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/modules/engine/lua_mod.h"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90571, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1791b980f558eb3b1fc1a53f35efad09a40c60a2fb98c04b7961f662d0529b89", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/include/levels.h", "duplicate_line": 16, "correlation_key": "fp|1791b980f558eb3b1fc1a53f35efad09a40c60a2fb98c04b7961f662d0529b89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/modules/engine/levels.cpp"}, "region": {"startLine": 481}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90570, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee9798fe611ea151f1426bbd9fc00fbb6202c41966ca5a54162993d65d86bffa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/modules/engine/art_scan.cpp", "duplicate_line": 401, "correlation_key": "fp|ee9798fe611ea151f1426bbd9fc00fbb6202c41966ca5a54162993d65d86bffa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/modules/engine/ast_scan.cpp"}, "region": {"startLine": 416}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90569, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b91a43c68ce0cbf13d1c613bf725dcebc6e95be2eb0ea53e4c6537c14e3a3f27", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/include/comsys.h", "duplicate_line": 1, "correlation_key": "fp|b91a43c68ce0cbf13d1c613bf725dcebc6e95be2eb0ea53e4c6537c14e3a3f27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/modules/comsys/comsys_mod.h"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90568, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c869853fa8a20c5e2b1469017d22fa1599aa114f157f4a0b8edb55027220579", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/include/dbt_emit_a64.h", "duplicate_line": 11, "correlation_key": "fp|1c869853fa8a20c5e2b1469017d22fa1599aa114f157f4a0b8edb55027220579"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/include/dbt_emit_x64.h"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90567, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4111de3002def0e7debcfe254ea787b10cab03b4805282acec2625cd36f304c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/ganl/src/kqueue_network_engine.cpp", "duplicate_line": 447, "correlation_key": "fp|4111de3002def0e7debcfe254ea787b10cab03b4805282acec2625cd36f304c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/ganl/src/select_network_engine.cpp"}, "region": {"startLine": 426}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90566, "scanner": "repobility-ai-code-hygiene", "fingerprint": "21dd5a71636b07e2589b3e85e1745a6a8c5b4ac7c2c2734b39bfde6b8aecfb41", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/ganl/include/kqueue_network_engine.h", "duplicate_line": 9, "correlation_key": "fp|21dd5a71636b07e2589b3e85e1745a6a8c5b4ac7c2c2734b39bfde6b8aecfb41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/ganl/include/select_network_engine.h"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90565, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6e6f8003d929d19ca6c2020b906103f6de33e075aeb37757818485fd59e4bd0f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/ganl/include/epoll_network_engine.h", "duplicate_line": 18, "correlation_key": "fp|6e6f8003d929d19ca6c2020b906103f6de33e075aeb37757818485fd59e4bd0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/ganl/include/kqueue_network_engine.h"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90564, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b4ce927d9b6ebfb041c8f6608730985ccaf00e6447c969345b724e033b1a8b5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/convert/t5xgame.h", "duplicate_line": 217, "correlation_key": "fp|0b4ce927d9b6ebfb041c8f6608730985ccaf00e6447c969345b724e033b1a8b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/convert/t6hgame.h"}, "region": {"startLine": 211}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90563, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6ac35f0cf6655f81f04d0047d835e75693da7b25a02e878ef010d2c2d08e13ee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/convert/p6hgame.h", "duplicate_line": 327, "correlation_key": "fp|6ac35f0cf6655f81f04d0047d835e75693da7b25a02e878ef010d2c2d08e13ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/convert/t6hgame.h"}, "region": {"startLine": 182}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90562, "scanner": "repobility-ai-code-hygiene", "fingerprint": "257dad9cb9a5999cdcb9effb87e76f2100fbf7136b97ab8cc99b76d21b480789", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/convert/r7hgame.h", "duplicate_line": 4, "correlation_key": "fp|257dad9cb9a5999cdcb9effb87e76f2100fbf7136b97ab8cc99b76d21b480789"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/convert/t6hgame.h"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90561, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6526ff6351ee47e6a9b528a03b8682f94dc068c552f7a22c41cb2d78f5ba600c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/convert/p6hgame.h", "duplicate_line": 327, "correlation_key": "fp|6526ff6351ee47e6a9b528a03b8682f94dc068c552f7a22c41cb2d78f5ba600c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/convert/t5xgame.h"}, "region": {"startLine": 188}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90560, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aae73605493a31870c06a17c9c0bd9b69bd0998ffc3e7e72991a58a5e49555bc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/convert/r7hgame.h", "duplicate_line": 4, "correlation_key": "fp|aae73605493a31870c06a17c9c0bd9b69bd0998ffc3e7e72991a58a5e49555bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/convert/t5xgame.h"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90559, "scanner": "repobility-ai-code-hygiene", "fingerprint": "93fd1ff4ce83562dda6300546389ba2c4f7ce7ec2d7db800df35b2a14e04f178", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mux/convert/p6hgame.h", "duplicate_line": 327, "correlation_key": "fp|93fd1ff4ce83562dda6300546389ba2c4f7ce7ec2d7db800df35b2a14e04f178"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/convert/r7hgame.h"}, "region": {"startLine": 173}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90558, "scanner": "repobility-ai-code-hygiene", "fingerprint": "549952950d27936641f1d64c1934228fea0ff320bdc9dda8d68a883114fa2c9c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "color/kdtree.cpp", "duplicate_line": 49, "correlation_key": "fp|549952950d27936641f1d64c1934228fea0ff320bdc9dda8d68a883114fa2c9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "color/kdtree_lab.cpp"}, "region": {"startLine": 157}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90557, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b79c8137214f0d70e908e64773e7d6554734d349191c97ff39150ff1ef4a07ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/console/src/spawn.h", "duplicate_line": 11, "correlation_key": "fp|b79c8137214f0d70e908e64773e7d6554734d349191c97ff39150ff1ef4a07ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/tf/src/spawn.h"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90556, "scanner": "repobility-ai-code-hygiene", "fingerprint": "977e072000d75d37b0a58605d2cbf8ac758c65549bbcd39f15345bcd409a4f7c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/console/src/spawn.cpp", "duplicate_line": 30, "correlation_key": "fp|977e072000d75d37b0a58605d2cbf8ac758c65549bbcd39f15345bcd409a4f7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/tf/src/spawn.cpp"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 90555, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d8c52c473493474542fa090f47a176a8d06bd47f3eb4f776ad2d6be857cd8fb8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/console/src/hydra_connection.cpp", "duplicate_line": 9, "correlation_key": "fp|d8c52c473493474542fa090f47a176a8d06bd47f3eb4f776ad2d6be857cd8fb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/tf/src/hydra_connection.cpp"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 90554, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": ["AGENTS.md", "CLAUDE.md", "GEMINI.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AGENTS.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `load_grammar` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=2, if=2, nested_bonus=6, recursion=1."}, "properties": {"repobilityId": 90546, "scanner": "repobility-threat-engine", "fingerprint": "2cfa72f56cbfc246af408cae0c87300a8895bc03c7d4412ed43dbe2de9193801", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "load_grammar", "breakdown": {"if": 2, "for": 2, "recursion": 1, "nested_bonus": 6}, "complexity": 11, "correlation_key": "fp|2cfa72f56cbfc246af408cae0c87300a8895bc03c7d4412ed43dbe2de9193801"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/grammar.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 90524, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 90550, "scanner": "repobility-threat-engine", "fingerprint": "27244343948254d8b14e1d7bdf25939d01a68e38a0ab212c91657e99466183bc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|27244343948254d8b14e1d7bdf25939d01a68e38a0ab212c91657e99466183bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/src/bsd.cpp"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 90549, "scanner": "repobility-threat-engine", "fingerprint": "4069395a509c3803e527238f7c81fad521f436adc638ce67128ca176da3f551a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4069395a509c3803e527238f7c81fad521f436adc638ce67128ca176da3f551a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/modules/engine/vattr.cpp"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 90548, "scanner": "repobility-threat-engine", "fingerprint": "9bfcce33a6cd834b68a3f04c49b686e82ffa2a074a58040b599a7a7e31ca359e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9bfcce33a6cd834b68a3f04c49b686e82ffa2a074a58040b599a7a7e31ca359e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/convert/omega.h"}, "region": {"startLine": 15}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 90547, "scanner": "repobility-threat-engine", "fingerprint": "ea7e91dd5c7e64706a198254e066b520737d0337b0e2613fa045355b61c46188", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 6, "for": 4, "continue": 1, "nested_bonus": 9}, "aggregated": true, "complexity": 20, "correlation_key": "fp|ea7e91dd5c7e64706a198254e066b520737d0337b0e2613fa045355b61c46188", "aggregated_count": 12}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 90541, "scanner": "repobility-threat-engine", "fingerprint": "705aae2968ebdd78af9117a2864f1f9a5db7d97d4b088db02e47644416dc09fc", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.eval\\(' detected on same line", "evidence": {"match": ".eval(", "reason": "Safe pattern '\\.eval\\(' detected on same line", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|mux/include/engine_api.h|97|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/include/engine_api.h"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 90532, "scanner": "repobility-threat-engine", "fingerprint": "1c3fa82a8401937535e19812c6d4ff4233dc1ca896a43483255d0aa48ba12f82", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1c3fa82a8401937535e19812c6d4ff4233dc1ca896a43483255d0aa48ba12f82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/console/src/main.cpp"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 90530, "scanner": "repobility-threat-engine", "fingerprint": "8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8a77ffb0a8fcdda223aabe32cdaf0e5bdc6cae13db4c9684d2f2d4932a1285a8"}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `tools/worldbuilder/__pycache__/importer.cpython-310.pyc` committed in source repo: `tools/worldbuilder/__pycache__/importer.cpython-310.pyc` is a .pyc binary (8,334 bytes) committed to a repo that otherwise has 537 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 90639, "scanner": "repobility-supply-chain", "fingerprint": "057ad1c3851d1602c4f3309ecf78b1a8f71c88311ac21e09428fdba6c6776d4f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|057ad1c3851d1602c4f3309ecf78b1a8f71c88311ac21e09428fdba6c6776d4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/__pycache__/importer.cpython-310.pyc"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `tools/worldbuilder/__pycache__/grammar.cpython-310.pyc` committed in source repo: `tools/worldbuilder/__pycache__/grammar.cpython-310.pyc` is a .pyc binary (7,411 bytes) committed to a repo that otherwise has 537 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 90638, "scanner": "repobility-supply-chain", "fingerprint": "2a4e7dfae70a0a5aa7ea20354ee1ff73a568cda54fac4504e1f9d95da5bb2524", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2a4e7dfae70a0a5aa7ea20354ee1ff73a568cda54fac4504e1f9d95da5bb2524"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/__pycache__/grammar.cpython-310.pyc"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `tools/worldbuilder/__pycache__/mapgen.cpython-310.pyc` committed in source repo: `tools/worldbuilder/__pycache__/mapgen.cpython-310.pyc` is a .pyc binary (8,037 bytes) committed to a repo that otherwise has 537 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 90637, "scanner": "repobility-supply-chain", "fingerprint": "37c1cb9905a6005703fc7bc353375c5a84bd6713e84b35968c4d21e0e94d4234", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37c1cb9905a6005703fc7bc353375c5a84bd6713e84b35968c4d21e0e94d4234"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/__pycache__/mapgen.cpython-310.pyc"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `tools/worldbuilder/__pycache__/executor.cpython-310.pyc` committed in source repo: `tools/worldbuilder/__pycache__/executor.cpython-310.pyc` is a .pyc binary (10,374 bytes) committed to a repo that otherwise has 537 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 90636, "scanner": "repobility-supply-chain", "fingerprint": "8c49cda20cd7d11e66c5974684b177e67c99c818d73895d076c307b3bc88ebae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c49cda20cd7d11e66c5974684b177e67c99c818d73895d076c307b3bc88ebae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/__pycache__/executor.cpython-310.pyc"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `tools/worldbuilder/__pycache__/softcode_lint.cpython-310.pyc` committed in source repo: `tools/worldbuilder/__pycache__/softcode_lint.cpython-310.pyc` is a .pyc binary (7,433 bytes) committed to a repo that otherwise has 537 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 90635, "scanner": "repobility-supply-chain", "fingerprint": "6a31c560feef2936782e62f91738c1fb52d1543b03cecfb6f2e82e29eecdadc8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a31c560feef2936782e62f91738c1fb52d1543b03cecfb6f2e82e29eecdadc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/__pycache__/softcode_lint.cpython-310.pyc"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `tools/worldbuilder/__pycache__/worldbuilder.cpython-310.pyc` committed in source repo: `tools/worldbuilder/__pycache__/worldbuilder.cpython-310.pyc` is a .pyc binary (25,098 bytes) committed to a repo that otherwise has 537 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 90634, "scanner": "repobility-supply-chain", "fingerprint": "5feaffcf029a1f154b61630f597279b44e815276432bbd8ceaae8117ef3e5a8d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5feaffcf029a1f154b61630f597279b44e815276432bbd8ceaae8117ef3e5a8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/__pycache__/worldbuilder.cpython-310.pyc"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `client/android/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `client/android/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,705 bytes) committed to a repo that otherwise has 537 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 90633, "scanner": "repobility-supply-chain", "fingerprint": "429b4ebcf407604681111c5a57d0014b6c135fd611200430d45e1a90c00a3b85", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|429b4ebcf407604681111c5a57d0014b6c135fd611200430d45e1a90c00a3b85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/android/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 90632, "scanner": "repobility-supply-chain", "fingerprint": "82efb9ed97171ad4bc8305ce32d3c0c62cce3d3e11533eb290613adf09f8ef40", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82efb9ed97171ad4bc8305ce32d3c0c62cce3d3e11533eb290613adf09f8ef40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/tinymux/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 90631, "scanner": "repobility-supply-chain", "fingerprint": "b51b57662b872b33009580b285d87c1d0952724bd869637976b22ed8538e3d40", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b51b57662b872b33009580b285d87c1d0952724bd869637976b22ed8538e3d40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/tinymux/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `tinymux:2.13.0.11` not pinned by digest: `FROM tinymux:2.13.0.11` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 90630, "scanner": "repobility-supply-chain", "fingerprint": "88a56ac4f22a72fdd9b02748a22eed352b92301a4241dc69ddb1e095407e735e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88a56ac4f22a72fdd9b02748a22eed352b92301a4241dc69ddb1e095407e735e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/AnonymousMUX/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_compiler: Test function `test_compiler` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90628, "scanner": "repobility-ast-engine", "fingerprint": "41c363f69afa0d6a69e52891890f7de288047f6ad16a65104574a1e7c2692aa3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|41c363f69afa0d6a69e52891890f7de288047f6ad16a65104574a1e7c2692aa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_worldbuilder.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_things: Test function `test_things` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90627, "scanner": "repobility-ast-engine", "fingerprint": "1fea875177809972992818c02e439b9f86fd51fb134b61fff01b9db05da39371", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1fea875177809972992818c02e439b9f86fd51fb134b61fff01b9db05da39371"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_worldbuilder.py"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_procedural_grid: Test function `test_procedural_grid` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90626, "scanner": "repobility-ast-engine", "fingerprint": "3d0d01211c356be73114d94186a0c89bd4c3a3e231bcbb5079fd873c5bf33adb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3d0d01211c356be73114d94186a0c89bd4c3a3e231bcbb5079fd873c5bf33adb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_worldbuilder.py"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_components: Test function `test_components` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90625, "scanner": "repobility-ast-engine", "fingerprint": "870d48582d223d84fca20cb22207823bb95325dbdddceadd848ddd0315a26e50", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|870d48582d223d84fca20cb22207823bb95325dbdddceadd848ddd0315a26e50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_worldbuilder.py"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_drc_negative: Test function `test_drc_negative` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90624, "scanner": "repobility-ast-engine", "fingerprint": "5136d464943df37e114af7628f9dcd31c6f37aeec6023df725160a0f4959862e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5136d464943df37e114af7628f9dcd31c6f37aeec6023df725160a0f4959862e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_worldbuilder.py"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_drc_positive: Test function `test_drc_positive` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90623, "scanner": "repobility-ast-engine", "fingerprint": "30a0eac29c2e45007760585df0a738f18dcdf69ed30616816a3cc57944308334", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|30a0eac29c2e45007760585df0a738f18dcdf69ed30616816a3cc57944308334"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_worldbuilder.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_spec_parsing: Test function `test_spec_parsing` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90622, "scanner": "repobility-ast-engine", "fingerprint": "7a78623bd70919eb84a2f612eca75c7745654bbdbb99eb55e70e898f833f68ad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a78623bd70919eb84a2f612eca75c7745654bbdbb99eb55e70e898f833f68ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_worldbuilder.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_attr_command_escaping: Test function `test_attr_command_escaping` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90621, "scanner": "repobility-ast-engine", "fingerprint": "738c3471786889d85dc4e4da1cdd7110f8c692fd2e1a8763c3f00ac01d72f45d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|738c3471786889d85dc4e4da1cdd7110f8c692fd2e1a8763c3f00ac01d72f45d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_worldbuilder.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_mux_escape: Test function `test_mux_escape` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90620, "scanner": "repobility-ast-engine", "fingerprint": "d9a44480beee4fac184e0bb5c938785d240ed95f79da315081e3fbd0790a51cd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d9a44480beee4fac184e0bb5c938785d240ed95f79da315081e3fbd0790a51cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_worldbuilder.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send` used but never assigned in __init__: Method `disconnect` of class `MuxConnection` reads `self.send`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 90617, "scanner": "repobility-ast-engine", "fingerprint": "77e660857c0a662b15ae01363c9e7b4ef038d39278246e3aaec37f6e6148ee97", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|77e660857c0a662b15ae01363c9e7b4ef038d39278246e3aaec37f6e6148ee97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/executor.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._strip_telnet` used but never assigned in __init__: Method `_read_until_quiet` of class `MuxConnection` reads `self._strip_telnet`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 90616, "scanner": "repobility-ast-engine", "fingerprint": "92c8874e4ff22e294fa697d7c6143d98e0f414250f0a97b69d43db2cede4ea98", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|92c8874e4ff22e294fa697d7c6143d98e0f414250f0a97b69d43db2cede4ea98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/executor.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._read_until_quiet` used but never assigned in __init__: Method `read_response` of class `MuxConnection` reads `self._read_until_quiet`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 90615, "scanner": "repobility-ast-engine", "fingerprint": "cf2e10623295eb554f74f4e532439268d735568362d85b6b700f51299b845a56", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cf2e10623295eb554f74f4e532439268d735568362d85b6b700f51299b845a56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/executor.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._read_until_quiet` used but never assigned in __init__: Method `login` of class `MuxConnection` reads `self._read_until_quiet`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 90614, "scanner": "repobility-ast-engine", "fingerprint": "e099d0686320e48e93ca1a2db1bf75d4228c1d41cff1db025cf5b2cc6562694e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e099d0686320e48e93ca1a2db1bf75d4228c1d41cff1db025cf5b2cc6562694e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/executor.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send` used but never assigned in __init__: Method `login` of class `MuxConnection` reads `self.send`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 90613, "scanner": "repobility-ast-engine", "fingerprint": "9e67d6f58fa479999ddad56db5b08155101a3fbf8d13bf7f98dda26808e7877f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9e67d6f58fa479999ddad56db5b08155101a3fbf8d13bf7f98dda26808e7877f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/executor.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._read_until_quiet` used but never assigned in __init__: Method `connect` of class `MuxConnection` reads `self._read_until_quiet`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 90612, "scanner": "repobility-ast-engine", "fingerprint": "7e73e5207e6609c020a88cb90650a7ca3f243af758befab3595d8dd9a1206a8d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7e73e5207e6609c020a88cb90650a7ca3f243af758befab3595d8dd9a1206a8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/executor.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.expand` used but never assigned in __init__: Method `generate` of class `Grammar` reads `self.expand`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 90610, "scanner": "repobility-ast-engine", "fingerprint": "5ee1288704929dcab8854f1e664fa546b28db77338e0b4d2a6a8edc6b176a047", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5ee1288704929dcab8854f1e664fa546b28db77338e0b4d2a6a8edc6b176a047"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/grammar.py"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.expand` used but never assigned in __init__: Method `expand` of class `Grammar` reads `self.expand`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 90609, "scanner": "repobility-ast-engine", "fingerprint": "e1a703b27372f520aab3165fb8877086262be100c9a2a319f765f995fbb03802", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e1a703b27372f520aab3165fb8877086262be100c9a2a319f765f995fbb03802"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/grammar.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._next_int` used but never assigned in __init__: Method `choice` of class `SeededRandom` reads `self._next_int`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 90608, "scanner": "repobility-ast-engine", "fingerprint": "fc4e91fb923c1c26917065d551aafff5e473d6720bed844ff04742a6378b8d81", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fc4e91fb923c1c26917065d551aafff5e473d6720bed844ff04742a6378b8d81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/grammar.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.save` used but never assigned in __init__: Method `mark_rolled_back` of class `MigrationState` reads `self.save`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 90605, "scanner": "repobility-ast-engine", "fingerprint": "c7c5e2a8aebd62aa555ad11246032f87d6203d376093cfd5467a8b89dd7f57b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c7c5e2a8aebd62aa555ad11246032f87d6203d376093cfd5467a8b89dd7f57b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/migrate.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.save` used but never assigned in __init__: Method `mark_applied` of class `MigrationState` reads `self.save`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 90604, "scanner": "repobility-ast-engine", "fingerprint": "cf992f51410f47afcffe0ee288208971155985341bb00301cf1ea0a54bd2d30e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cf992f51410f47afcffe0ee288208971155985341bb00301cf1ea0a54bd2d30e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/migrate.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_empty: Test function `test_empty` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90603, "scanner": "repobility-ast-engine", "fingerprint": "d3df250e4e6f4b906bf0c60d904ac702f26ca0d046b55e24f9f3fb3f5782ca92", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d3df250e4e6f4b906bf0c60d904ac702f26ca0d046b55e24f9f3fb3f5782ca92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 269}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_format_report: Test function `test_format_report` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90602, "scanner": "repobility-ast-engine", "fingerprint": "f78fbffd1b910c896107969701b0101ccc104e9f8b0ecf928811b1ce5ebef702", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f78fbffd1b910c896107969701b0101ccc104e9f8b0ecf928811b1ce5ebef702"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 255}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_summary: Test function `test_summary` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90601, "scanner": "repobility-ast-engine", "fingerprint": "8f6b4fc11c9cf4580378ec6d04956def8775a7984bb571df799d89a8b530c0f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8f6b4fc11c9cf4580378ec6d04956def8775a7984bb571df799d89a8b530c0f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 243}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_multiple_objects: Test function `test_multiple_objects` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90600, "scanner": "repobility-ast-engine", "fingerprint": "fe1d07e841b1b12bb34d47080131685e7a685b64d0f24800e7f6b649ba8d9c82", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fe1d07e841b1b12bb34d47080131685e7a685b64d0f24800e7f6b649ba8d9c82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 219}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_flag_change: Test function `test_flag_change` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90599, "scanner": "repobility-ast-engine", "fingerprint": "9d57a38c0392a870144dd4dd1add985f9f7e6b6362cb707e513c051a0a43c0c8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9d57a38c0392a870144dd4dd1add985f9f7e6b6362cb707e513c051a0a43c0c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_attr_level_diff: Test function `test_attr_level_diff` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90598, "scanner": "repobility-ast-engine", "fingerprint": "3bf1abd7ffdbf8439b0665cf69c2507bd19ad5446038b780207e83fba5333362", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3bf1abd7ffdbf8439b0665cf69c2507bd19ad5446038b780207e83fba5333362"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_new_in_live: Test function `test_new_in_live` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90597, "scanner": "repobility-ast-engine", "fingerprint": "a3c716e491084d902da61bc3e0aa3ffed8d2c673ebe23e04c4d7ef4ab99228ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a3c716e491084d902da61bc3e0aa3ffed8d2c673ebe23e04c4d7ef4ab99228ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 179}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_new_in_spec: Test function `test_new_in_spec` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90596, "scanner": "repobility-ast-engine", "fingerprint": "40b02b4bdb4569b302cd59761135e384f8991302cf462f55e9c269f6c40cf218", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|40b02b4bdb4569b302cd59761135e384f8991302cf462f55e9c269f6c40cf218"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_pending_destroy: Test function `test_pending_destroy` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90595, "scanner": "repobility-ast-engine", "fingerprint": "75fed017d67ff3d72d1361f41d6efc35b31c22679d677089f14d15bd196469d7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75fed017d67ff3d72d1361f41d6efc35b31c22679d677089f14d15bd196469d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_recycled_live: Test function `test_recycled_live` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90594, "scanner": "repobility-ast-engine", "fingerprint": "96f386a06639d32d2a8cb91d2496f5147dc679902c680943bcb2fadf7e45c455", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|96f386a06639d32d2a8cb91d2496f5147dc679902c680943bcb2fadf7e45c455"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_missing_live: Test function `test_missing_live` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90593, "scanner": "repobility-ast-engine", "fingerprint": "8718564e085ed8e89679daf154faaaf9142688b84c97e09aefe0f8225dc4b0a2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8718564e085ed8e89679daf154faaaf9142688b84c97e09aefe0f8225dc4b0a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_converged: Test function `test_converged` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90592, "scanner": "repobility-ast-engine", "fingerprint": "8364ea9e4569080e252494a920412898d5749b74383a544ccbf4c27b670a4d70", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8364ea9e4569080e252494a920412898d5749b74383a544ccbf4c27b670a4d70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_conflict: Test function `test_conflict` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90591, "scanner": "repobility-ast-engine", "fingerprint": "29406d8bc8f3f045e1827fbf16ad310b1afb56cd7e4df4f5b9990bceb580ea7e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|29406d8bc8f3f045e1827fbf16ad310b1afb56cd7e4df4f5b9990bceb580ea7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_live_modified: Test function `test_live_modified` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90590, "scanner": "repobility-ast-engine", "fingerprint": "0ac155f14619d8022f6a4588474d0f5358b3332046c126910650b8009c5ed973", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ac155f14619d8022f6a4588474d0f5358b3332046c126910650b8009c5ed973"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_spec_modified: Test function `test_spec_modified` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90589, "scanner": "repobility-ast-engine", "fingerprint": "5c800f6b9f32324ced7f6805ba463ddf4495cca8b2ee63cb3a0f81b5a6bbe15f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5c800f6b9f32324ced7f6805ba463ddf4495cca8b2ee63cb3a0f81b5a6bbe15f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_all_agree: Test function `test_all_agree` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 90588, "scanner": "repobility-ast-engine", "fingerprint": "e57c4e0c1cda5da98e781e094c2689372e27f138bbe3a698abb40d85935831b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e57c4e0c1cda5da98e781e094c2689372e27f138bbe3a698abb40d85935831b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/test_reconciler.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 90553, "scanner": "repobility-threat-engine", "fingerprint": "40d66602a318a27ad2a0875bafc0a2929c4e7610c5374dfe8bfb056dfa2add56", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open($input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|testcases/tools/unformat.pl|146|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "testcases/tools/unformat.pl"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 90552, "scanner": "repobility-threat-engine", "fingerprint": "e4f7a5f2fc81ada477487da81f2db68556671866ba31f733ddfba20e59be398e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4f7a5f2fc81ada477487da81f2db68556671866ba31f733ddfba20e59be398e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/grammar.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 90551, "scanner": "repobility-threat-engine", "fingerprint": "3424b5a19a5f3ef10f3f53f3f1fd22bb4eaa62efa797954be3339d1b54c1a09b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3424b5a19a5f3ef10f3f53f3f1fd22bb4eaa62efa797954be3339d1b54c1a09b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mux/proxy/websocket.cpp"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 90543, "scanner": "repobility-threat-engine", "fingerprint": "c19f4b07edebc45e74dc794e94bcd213caa5efb2e90a202558f1987408fab448", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c19f4b07edebc45e74dc794e94bcd213caa5efb2e90a202558f1987408fab448"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/web/js/triggers.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 90537, "scanner": "repobility-threat-engine", "fingerprint": "77ca8c6895bd18493e80344b392e65bf225ca23c77e88a1a2c91c0077a2673f6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|77ca8c6895bd18493e80344b392e65bf225ca23c77e88a1a2c91c0077a2673f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/web/js/triggers.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 90536, "scanner": "repobility-threat-engine", "fingerprint": "309571de19f4e308d90fa762082061ab7225b9ee98c5327a281773dd8561ef22", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|309571de19f4e308d90fa762082061ab7225b9ee98c5327a281773dd8561ef22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/web/js/spawns.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 90533, "scanner": "repobility-threat-engine", "fingerprint": "faf1ec4beb17d17f5298e62b760cb0cc6a1e6695b3614e3c53c650afee5ed060", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|faf1ec4beb17d17f5298e62b760cb0cc6a1e6695b3614e3c53c650afee5ed060"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/ios/Titan/Net/AnsiParser.swift"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 90531, "scanner": "repobility-threat-engine", "fingerprint": "e7edc4759a8bc499bef84b9983b69c867fd32b62888e7e8246c525b2d49dcee3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e7edc4759a8bc499bef84b9983b69c867fd32b62888e7e8246c525b2d49dcee3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/android/app/src/main/java/org/tinymux/titan/net/MudConnection.kt"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 90529, "scanner": "repobility-threat-engine", "fingerprint": "0ed5755ee8aff8923eec749b1691be0ac8ca7e626fd45263f00bb93dca6d8d87", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "all_nodes.update(nodes)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0ed5755ee8aff8923eec749b1691be0ac8ca7e626fd45263f00bb93dca6d8d87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/mapgen.py"}, "region": {"startLine": 289}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 90528, "scanner": "repobility-threat-engine", "fingerprint": "b97d649968c5fd5389154cd6f562f3b465a2154dfdf96bff968745fa7095e9e2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.save();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b97d649968c5fd5389154cd6f562f3b465a2154dfdf96bff968745fa7095e9e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/web/js/settings.js"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 90527, "scanner": "repobility-threat-engine", "fingerprint": "b073eca7b0468bbefef4fe78819909c4915e48982926b53f31a1cc870f8c6a4b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "EncryptedSharedPreferences.create(\n            context,\n            \"titan_worlds_encrypted\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b073eca7b0468bbefef4fe78819909c4915e48982926b53f31a1cc870f8c6a4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/android/app/src/main/java/org/tinymux/titan/data/World.kt"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 90629, "scanner": "repobility-ast-engine", "fingerprint": "6f87ceb682f51ae79ddc498d7cd8da3bc7c40987b7044dd9dc90f7c23eb2a8ab", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6f87ceb682f51ae79ddc498d7cd8da3bc7c40987b7044dd9dc90f7c23eb2a8ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/importer.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 90619, "scanner": "repobility-ast-engine", "fingerprint": "1c9f372a00282f3e93c998112c5c57b22caec7449e09dfbaa7fc18386c05b3fa", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1c9f372a00282f3e93c998112c5c57b22caec7449e09dfbaa7fc18386c05b3fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/mapgen.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 90607, "scanner": "repobility-ast-engine", "fingerprint": "f1461ef0004fab5b41af040768c769034429a661a11a0bab266b66e4641d7b49", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f1461ef0004fab5b41af040768c769034429a661a11a0bab266b66e4641d7b49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/grammar.py"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 90586, "scanner": "repobility-ast-engine", "fingerprint": "06cda92ef402e6e593c28b9a0e93a0100f6d021da822950636ea252a1f5fd6fa", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|06cda92ef402e6e593c28b9a0e93a0100f6d021da822950636ea252a1f5fd6fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/worldbuilder/worldbuilder.py"}, "region": {"startLine": 502}}}]}]}]}