{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-GHA", "name": "GitHub Action `actions/configure-pages@v5` is 1 major version(s) behind (latest v6.0.0)", "shortDescription": {"text": "GitHub Action `actions/configure-pages@v5` is 1 major version(s) behind (latest v6.0.0)"}, "fullDescription": {"text": "`uses: actions/configure-pages@v5` is 1 major version(s) behind the latest published release v6.0.0. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises \u2014 and which Repobility had no coverage for."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@types/react-dom` is 1 major version(s) behind (18.3.7 -> 19.2.3)", "shortDescription": {"text": "npm package `@types/react-dom` is 1 major version(s) behind (18.3.7 -> 19.2.3)"}, "fullDescription": {"text": "`@types/react-dom` is pinned/resolved at 18.3.7 but the latest stable release on the npm registry is 19.2.3 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "A file created as a fixed/new/final/copy variant is not referenced by imports or path-like strings in the rest of the repository. This is a strong sign that an agent produced code beside the active application path."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 532 lines (recommend <300)", "shortDescription": {"text": "Average file size is 532 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC124", "name": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacke", "shortDescription": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "fullDescription": {"text": "Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`."}, "properties": {"scanner": "repobility-threat-engine", "category": "race_condition", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `check_and_clean` has cognitive complexity 10 (SonarSource scale). Cogniti", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `check_and_clean` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursi"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 10."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC005", "name": "Duplicate top-level symbol appears in a patch-style file", "shortDescription": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "fullDescription": {"text": "A generated replacement file defining the same public function or class name as another module can mean the new logic is not actually wired into the running code."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "AIC006", "name": "Archive or legacy directory is mixed into the active repository root", "shortDescription": {"text": "Archive or legacy directory is mixed into the active repository root"}, "fullDescription": {"text": "Archive, old, backup, or legacy directories at the root often hide obsolete implementations that AI agents can copy from or accidentally rewire."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC049", "name": "[SEC049] GCP API key (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[SEC049] GCP API key (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Restrict the key in Cloud Console (HTTP referrers / IP whitelist) and rotate. Move to Secret Manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 21 more): Same pattern found in 21 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED063", "name": "[MINED063] Toctou Os Path Exists (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED063] Toctou Os Path Exists (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-367 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED021", "name": "[MINED021] Path Traversal Os Join (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED021] Path Traversal Os Join (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED014] Disabled Tls Verify (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 20 more): Same pattern found in 20 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 79 more): Same pattern found in 79 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 79 more): Same pattern found in 79 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 2 more): Same pattern found in 2 additional files. Review i", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 25 more): Same pattern found in 25 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 31 more): Same pattern found in 31 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT003", "name": "User-editable role instructions are inserted into the system prompt", "shortDescription": {"text": "User-editable role instructions are inserted into the system prompt"}, "fullDescription": {"text": "Fleet or role instructions that users can edit should be treated as untrusted configuration. Prepending them to every system prompt lets stored text override runtime behavior."}, "properties": {"scanner": "repobility-agent-runtime", "category": "llm_injection", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `gitpod/workspace-node:latest` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `gitpod/workspace-node:latest` not pinned by digest"}, "fullDescription": {"text": "`FROM gitpod/workspace-node:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.wfile` used but never assigned in __init__", "shortDescription": {"text": "`self.wfile` used but never assigned in __init__"}, "fullDescription": {"text": "Method `do_GET` of class `DashHandler` reads `self.wfile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "gcp-api-key", "name": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches.", "shortDescription": {"text": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "curl-auth-header", "name": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed r", "shortDescription": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "curl-auth-user", "name": "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed re", "shortDescription": {"text": "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "Missing import: `email` used but not imported", "shortDescription": {"text": "Missing import: `email` used but not imported"}, "fullDescription": {"text": "The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1092"}, "properties": {"repository": "zhouyoukang1234-spec/windsurf-assistant", "repoUrl": "https://github.com/zhouyoukang1234-spec/windsurf-assistant", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 107131, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 107102, "scanner": "repobility-threat-engine", "fingerprint": "4c0dc7726d485f68eb76e9d98f9585d05ab487f8a334117ecef3bfd5860071aa", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|194|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dao-proxy-min/install.sh"}, "region": {"startLine": 194}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 107101, "scanner": "repobility-threat-engine", "fingerprint": "345e454036d24e825e1a81aeb478971402abc9af26d0888a77c24da8a590a76a", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|windsurf /070- _plugins/020- vsix_daoagi/dao-proxy-min/install.sh|194|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/070-\u63d2\u4ef6_Plugins/020-\u9053VSIX_DaoAgi/dao-proxy-min/install.sh"}, "region": {"startLine": 194}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 107092, "scanner": "repobility-threat-engine", "fingerprint": "1e56a1339fd5377e1bf39d3502f51bcff8a02b1474ae3cd6c53fc85a1507d399", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n    return null;\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1e56a1339fd5377e1bf39d3502f51bcff8a02b1474ae3cd6c53fc85a1507d399"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/130-\u9053\u72ec\u7acb\u4f53_Standalone/05-GitHub/_hdougle_\u6d4b\u8bd5/read_run_logs.js"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 107091, "scanner": "repobility-threat-engine", "fingerprint": "e512d3a830cda3366c7ef6f8ae4bee928ed2198ddf2da152cafbd6308ffd81e3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n        return None", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e512d3a830cda3366c7ef6f8ae4bee928ed2198ddf2da152cafbd6308ffd81e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/full_deploy.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 107090, "scanner": "repobility-threat-engine", "fingerprint": "d1e4e90f4f270cd15d63aa7cfe66df3ee003727e172199c8d1e8b15cac0ff07e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n        return None", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d1e4e90f4f270cd15d63aa7cfe66df3ee003727e172199c8d1e8b15cac0ff07e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_proxy_split.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 107081, "scanner": "repobility-threat-engine", "fingerprint": "b7699fb5f5a4f5c6eb72ab710dd47b3d252ec08383577b329daf982e19f24b8f", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n    pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b7699fb5f5a4f5c6eb72ab710dd47b3d252ec08383577b329daf982e19f24b8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/\u5b98\u65b9\u6a21\u5f0f\u56de\u5f52.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 107080, "scanner": "repobility-threat-engine", "fingerprint": "4cbea61a1b378bbf7cee468f2476a0fed46e77bd715e16fcce70025934fdeaed", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n                    pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4cbea61a1b378bbf7cee468f2476a0fed46e77bd715e16fcce70025934fdeaed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_trajectory_guard.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 107079, "scanner": "repobility-threat-engine", "fingerprint": "b28f871b599cd50b3d703309896fb72dc83f26185fa9c38f70c7a9e7849a97a2", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b28f871b599cd50b3d703309896fb72dc83f26185fa9c38f70c7a9e7849a97a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_deep_probe.py"}, "region": {"startLine": 272}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 107071, "scanner": "repobility-threat-engine", "fingerprint": "c005e4c50e6818f0074a78a6153c859345cd41f54cf819db83d5d9141b7df5e9", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c005e4c50e6818f0074a78a6153c859345cd41f54cf819db83d5d9141b7df5e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dao-injector/extension/inject.js"}, "region": {"startLine": 213}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 107070, "scanner": "repobility-threat-engine", "fingerprint": "97c7576381f074478245c493c6fc82964e577a17878b0f899d6e553c477c98c1", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|97c7576381f074478245c493c6fc82964e577a17878b0f899d6e553c477c98c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dao-injector/extension/content.js"}, "region": {"startLine": 113}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 107069, "scanner": "repobility-threat-engine", "fingerprint": "54db817858da5866df2921ab930a8cb62967e9c37469edf9c02f436dbe31e186", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(_e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|54db817858da5866df2921ab930a8cb62967e9c37469edf9c02f436dbe31e186"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_build_server.js"}, "region": {"startLine": 169}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 107023, "scanner": "repobility-threat-engine", "fingerprint": "874707939479d447e96b9dddb34a861a05dd4fc264d2ef5d80b8f81cd881dc73", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|windsurf /060- _repair token|10|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_find_request.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 107022, "scanner": "repobility-threat-engine", "fingerprint": "0c29b7a978703fdb01dc6810a991666467a56d528bb6f14c90cb81014bf6e8e2", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|windsurf /060- _repair/_diag_leveldb_deep.js|32|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_diag_leveldb_deep.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 107021, "scanner": "repobility-threat-engine", "fingerprint": "77ebbb0289bc7f3603e08f0f22d4ca91401258f0c2423de68e1f25b3c4aee431", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "{exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|130- _standalone token|14|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "130-\u9053\u72ec\u7acb\u4f53_Standalone/01-VM/vm-side/dao_nano_public.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 107012, "scanner": "repobility-agent-runtime", "fingerprint": "b34bee80dd468bb542f69eef3bf55c74299f0ade0b2f25c94875fe2f01c8bdac", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|b34bee80dd468bb542f69eef3bf55c74299f0ade0b2f25c94875fe2f01c8bdac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dao_github_sync.js"}, "region": {"startLine": 174}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 107010, "scanner": "repobility-agent-runtime", "fingerprint": "cd4d1b46fadd051d3176977d47fbfc12241d73921f4ca0ff748fa1caeeffdfd2", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|cd4d1b46fadd051d3176977d47fbfc12241d73921f4ca0ff748fa1caeeffdfd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/dao/vm_total.sh"}, "region": {"startLine": 23}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 107009, "scanner": "repobility-agent-runtime", "fingerprint": "07c27f3d98253cfe4f06bdd23c054586a9c66b635c3b85b81e52238d3466a558", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|07c27f3d98253cfe4f06bdd23c054586a9c66b635c3b85b81e52238d3466a558"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/dao/vm_bootstrap.sh"}, "region": {"startLine": 12}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 107008, "scanner": "repobility-agent-runtime", "fingerprint": "e5fa61d5fd3d6789cbf1d9a87d7cf090c12657e252de32dbcb69e51b0e15b2f3", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|e5fa61d5fd3d6789cbf1d9a87d7cf090c12657e252de32dbcb69e51b0e15b2f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/wam/extension.js"}, "region": {"startLine": 7776}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 107007, "scanner": "repobility-agent-runtime", "fingerprint": "15ac3687c5dd8ad2efd40730e152687ccc407d8f05f82e62e5e544abf391996e", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|15ac3687c5dd8ad2efd40730e152687ccc407d8f05f82e62e5e544abf391996e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/web/app/page.tsx"}, "region": {"startLine": 331}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 107006, "scanner": "repobility-agent-runtime", "fingerprint": "d0c68dfea3169d7baa69d0c64d93a5dabae208d31c6e057e0732bdc504a035f3", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d0c68dfea3169d7baa69d0c64d93a5dabae208d31c6e057e0732bdc504a035f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/server.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 107005, "scanner": "repobility-agent-runtime", "fingerprint": "12727ccee0baabdd898c06683c9c68e3739d4e5c0fe1e937c4220cbac5633c0b", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|12727ccee0baabdd898c06683c9c68e3739d4e5c0fe1e937c4220cbac5633c0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/005-\u6587\u6863_docs/\u5370\u8bb0/\u5370200_\u9053\u6cd5\u81ea\u7136_\u672c\u5730\u5f15\u64ce\u94fe\u95ed\u73af_VM\u771f\u81ea\u6cbb\u8fb9\u754c_2026-05-22.md"}, "region": {"startLine": 101}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 107004, "scanner": "repobility-agent-runtime", "fingerprint": "4ef4e5f0851838fa0dd6402fb03a6c3a8fe66349c663f19a353bcf482a0c1515", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|4ef4e5f0851838fa0dd6402fb03a6c3a8fe66349c663f19a353bcf482a0c1515"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/005-\u6587\u6863_docs/\u5370\u8bb0/\u5370155\u7eed_\u5b9e\u6218\u6536\u675f_\u4e07\u6e90\u9f50\u5165_2026-05-19.md"}, "region": {"startLine": 145}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/configure-pages@v5` is 1 major version(s) behind (latest v6.0.0)"}, "properties": {"repobilityId": 107003, "scanner": "repobility-dependency-currency", "fingerprint": "f7da032b4b43f56695e4be6e8600769961a390f1c0b6e3b0c56183468ce3be13", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/configure-pages", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.0", "correlation_key": "fp|f7da032b4b43f56695e4be6e8600769961a390f1c0b6e3b0c56183468ce3be13", "current_version": "v5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-pages.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 107002, "scanner": "repobility-dependency-currency", "fingerprint": "3aeda9d77b0ec50629f5518f8a8b753334f5c77b551cd20876c5f3667efd4804", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|3aeda9d77b0ec50629f5518f8a8b753334f5c77b551cd20876c5f3667efd4804", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-pages.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 107001, "scanner": "repobility-dependency-currency", "fingerprint": "1e3bd52e9857d5a3ed38f3a812871aa5e7b05d2284cbdc26aa56e38edd4e9fd8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|1e3bd52e9857d5a3ed38f3a812871aa5e7b05d2284cbdc26aa56e38edd4e9fd8", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-d.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 107000, "scanner": "repobility-dependency-currency", "fingerprint": "2a43a92141720f69f5cd23e241ddc1aeee532e1a28cdeab8af21867841731659", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|2a43a92141720f69f5cd23e241ddc1aeee532e1a28cdeab8af21867841731659", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-d.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/upload-artifact@v4` is 3 major version(s) behind (latest v7.0.1)"}, "properties": {"repobilityId": 106999, "scanner": "repobility-dependency-currency", "fingerprint": "bfb3f217c5ae8ece9b1d2bfb9cf0efc5275066ca55da9ba3e5b80c4c32bbec13", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/upload-artifact", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v7.0.1", "correlation_key": "fp|bfb3f217c5ae8ece9b1d2bfb9cf0efc5275066ca55da9ba3e5b80c4c32bbec13", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 106998, "scanner": "repobility-dependency-currency", "fingerprint": "9e52aa42087a58171478d1dc28d53e120f5a9adb459c4598cac4c8b1e23e5e4c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|9e52aa42087a58171478d1dc28d53e120f5a9adb459c4598cac4c8b1e23e5e4c", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 106997, "scanner": "repobility-dependency-currency", "fingerprint": "42ed69ad0910a3913331996072f27e0ea8d94e55110273bb5ec974f0a632dec7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|42ed69ad0910a3913331996072f27e0ea8d94e55110273bb5ec974f0a632dec7", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 106996, "scanner": "repobility-dependency-currency", "fingerprint": "fe4e22b5bf028b6cf6365be97592a6e227f64ba0880e82dc8abdfe4f076a8c25", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|fe4e22b5bf028b6cf6365be97592a6e227f64ba0880e82dc8abdfe4f076a8c25", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-c.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 106995, "scanner": "repobility-dependency-currency", "fingerprint": "76d06e1de5a4a39e2076e81f08c695ce33b46e39d9359d9bf455e9d180bb16b4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|76d06e1de5a4a39e2076e81f08c695ce33b46e39d9359d9bf455e9d180bb16b4", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-c.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 106994, "scanner": "repobility-dependency-currency", "fingerprint": "20efe87f445af30f20cb28dda95dc4fd99b903e2b4f31a0f399e0303c405b11e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|20efe87f445af30f20cb28dda95dc4fd99b903e2b4f31a0f399e0303c405b11e", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-boot.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 106993, "scanner": "repobility-dependency-currency", "fingerprint": "33afb24bdbf9e5ee8d8985cc8aa69c9b91d4bd7e3c0a98128061f3dd9bbe0de3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|33afb24bdbf9e5ee8d8985cc8aa69c9b91d4bd7e3c0a98128061f3dd9bbe0de3", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-boot.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 106992, "scanner": "repobility-dependency-currency", "fingerprint": "d5698fa46a8db973cae50a019a0fa85d59255a679feba78c7687c51dc5e2c9f3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|d5698fa46a8db973cae50a019a0fa85d59255a679feba78c7687c51dc5e2c9f3", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-fleet-cloud.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 106991, "scanner": "repobility-dependency-currency", "fingerprint": "a4c1f24b1a62c7d7cb5e7a908c030edb6c65cb9879124a335b9dfe6e948aa2de", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|a4c1f24b1a62c7d7cb5e7a908c030edb6c65cb9879124a335b9dfe6e948aa2de", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-fleet-cloud.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/github-script@v7` is 2 major version(s) behind (latest v9.0.0)"}, "properties": {"repobilityId": 106990, "scanner": "repobility-dependency-currency", "fingerprint": "da0a3aae0a65947f189ffc8bc7dd72ad47f8dfab0d7c8af187701082a48be04a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/github-script", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v9.0.0", "correlation_key": "fp|da0a3aae0a65947f189ffc8bc7dd72ad47f8dfab0d7c8af187701082a48be04a", "current_version": "v7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/_enable_pages_once.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 106989, "scanner": "repobility-dependency-currency", "fingerprint": "9f219249c2a414f1e69e8bccd69ebbf639a9dc02c276d16b03aab23e2fbd8246", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|9f219249c2a414f1e69e8bccd69ebbf639a9dc02c276d16b03aab23e2fbd8246", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-main-shell.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 106988, "scanner": "repobility-dependency-currency", "fingerprint": "5f2e2b05f1c7f6e442a6b372d066155b0cdb573ca272aba97c1ad1f8b8a7b4a5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|5f2e2b05f1c7f6e442a6b372d066155b0cdb573ca272aba97c1ad1f8b8a7b4a5", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-a.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 106987, "scanner": "repobility-dependency-currency", "fingerprint": "0ab0e2e01c07694fc7790cd5e6283e3081d1f28adbc3562a3d09bda1fbb22edf", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|0ab0e2e01c07694fc7790cd5e6283e3081d1f28adbc3562a3d09bda1fbb22edf", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-a.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 106986, "scanner": "repobility-dependency-currency", "fingerprint": "2c6f805b1101a7e67125a40c838dcb8db630881162e26e53657019d686c8a54d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|2c6f805b1101a7e67125a40c838dcb8db630881162e26e53657019d686c8a54d", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-free-loop.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 106985, "scanner": "repobility-dependency-currency", "fingerprint": "aab6737254f79e87677c3643a7ba2cfccb2d527e805a801e3073584a9406572c", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|aab6737254f79e87677c3643a7ba2cfccb2d527e805a801e3073584a9406572c", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-free-loop.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 106984, "scanner": "repobility-dependency-currency", "fingerprint": "eb6b1693f563f54c4bae26a313704b7d6db611128250211801088239ea9a060a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|eb6b1693f563f54c4bae26a313704b7d6db611128250211801088239ea9a060a", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-core.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 106983, "scanner": "repobility-dependency-currency", "fingerprint": "fee72fba354cfb75629cbb50962b7cb18698587838b90280c5ddad0c6907865a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|fee72fba354cfb75629cbb50962b7cb18698587838b90280c5ddad0c6907865a", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-core.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 106982, "scanner": "repobility-dependency-currency", "fingerprint": "29fbfd36ff7536f0c59cd3e67ba95be34d0b2c78004fc29596a6f9e840a89289", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|29fbfd36ff7536f0c59cd3e67ba95be34d0b2c78004fc29596a6f9e840a89289", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-b.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 106981, "scanner": "repobility-dependency-currency", "fingerprint": "1c1b1c00e12448e9aaffdb034940d9e38a22c44c3f768e5e3a97305189201bc3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|1c1b1c00e12448e9aaffdb034940d9e38a22c44c3f768e5e3a97305189201bc3", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-b.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-node@v4` is 2 major version(s) behind (latest v6.4.0)"}, "properties": {"repobilityId": 106980, "scanner": "repobility-dependency-currency", "fingerprint": "4242f8e6d1a94acbca34aec97e764cb7a644b18dd291fa4c67c994049ebf6957", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-node", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.4.0", "correlation_key": "fp|4242f8e6d1a94acbca34aec97e764cb7a644b18dd291fa4c67c994049ebf6957", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-fleet.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 106979, "scanner": "repobility-dependency-currency", "fingerprint": "a4d4b467bd158c4aef4567a43de0976e29f00275d0b8ec4f1ad962c9a0b16fbf", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|a4d4b467bd158c4aef4567a43de0976e29f00275d0b8ec4f1ad962c9a0b16fbf", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-fleet.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/react-dom` is 1 major version(s) behind (18.3.7 -> 19.2.3)"}, "properties": {"repobilityId": 106974, "scanner": "repobility-dependency-currency", "fingerprint": "e76bc389b5e1a00855a32154d23842f4c232c3af8c2e174ab09fcddcc9e3f3df", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/react-dom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "19.2.3", "correlation_key": "fp|e76bc389b5e1a00855a32154d23842f4c232c3af8c2e174ab09fcddcc9e3f3df", "current_version": "18.3.7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106939, "scanner": "repobility-ast-engine", "fingerprint": "6ead04478c9763dd42db1fef4c84aae9f2d6012792134755aeaec8fede416282", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6ead04478c9763dd42db1fef4c84aae9f2d6012792134755aeaec8fede416282"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_deep_probe.py"}, "region": {"startLine": 264}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106938, "scanner": "repobility-ast-engine", "fingerprint": "36dbeec8acc100a64ca0f156771973f2d54e0b29bac7690373a58e88d12eb391", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|36dbeec8acc100a64ca0f156771973f2d54e0b29bac7690373a58e88d12eb391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_proxy_split.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106937, "scanner": "repobility-ast-engine", "fingerprint": "45e821119975d175e082f3c525c8db21099207cb585354c37fd9415c70c094c3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|45e821119975d175e082f3c525c8db21099207cb585354c37fd9415c70c094c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_proxy_split.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106936, "scanner": "repobility-ast-engine", "fingerprint": "b0a1c973feb01cfdd063ba3445a2affa5eabb3f1c25df1f011dea90c670123b3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b0a1c973feb01cfdd063ba3445a2affa5eabb3f1c25df1f011dea90c670123b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_proxy_split.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106935, "scanner": "repobility-ast-engine", "fingerprint": "c8218cba011dffaa09b02e67e2d8910024c2f2d64f91b582708bbcd99761316b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c8218cba011dffaa09b02e67e2d8910024c2f2d64f91b582708bbcd99761316b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_laptop_diag.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106934, "scanner": "repobility-ast-engine", "fingerprint": "10e3f8b08549a459e6db8f61f21515fa4f04cd8cb5dfe2bb7a0073320e931325", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|10e3f8b08549a459e6db8f61f21515fa4f04cd8cb5dfe2bb7a0073320e931325"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_anti_fingerprint.py"}, "region": {"startLine": 342}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106933, "scanner": "repobility-ast-engine", "fingerprint": "ef00825dc3b9533cfb67337b19abb7985ac8a95bfe8bba26fa63f8dc291f26fc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ef00825dc3b9533cfb67337b19abb7985ac8a95bfe8bba26fa63f8dc291f26fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_anti_fingerprint.py"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106932, "scanner": "repobility-ast-engine", "fingerprint": "5cb671c5db3f593b85d0b8cfdf50cb607d33be1be227c013a23eb18452060d34", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5cb671c5db3f593b85d0b8cfdf50cb607d33be1be227c013a23eb18452060d34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_fix2.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106931, "scanner": "repobility-ast-engine", "fingerprint": "9e557b3caf6595fa3961caaf73b5b97e766e900599e29fba68a131d2262a0a50", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9e557b3caf6595fa3961caaf73b5b97e766e900599e29fba68a131d2262a0a50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_fix.py"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106930, "scanner": "repobility-ast-engine", "fingerprint": "17229997ffd2c31835df0083ee50782554d1d63cd752243962eca53555c352ec", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|17229997ffd2c31835df0083ee50782554d1d63cd752243962eca53555c352ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_fix.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106929, "scanner": "repobility-ast-engine", "fingerprint": "3bc0e16632b8011df5652ebf3849753a618b3ab2a8883989303d949b1c70f008", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3bc0e16632b8011df5652ebf3849753a618b3ab2a8883989303d949b1c70f008"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_fix.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106928, "scanner": "repobility-ast-engine", "fingerprint": "3a715feeed73e1d04ee980f9badc18b51bb3bf39c7c96854dd9e3a9e2affae78", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a715feeed73e1d04ee980f9badc18b51bb3bf39c7c96854dd9e3a9e2affae78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_net_check.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106927, "scanner": "repobility-ast-engine", "fingerprint": "625970ac1faaec670e2ffb446814fbec3688420a2e6b5bb51676b31b644b7d20", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|625970ac1faaec670e2ffb446814fbec3688420a2e6b5bb51676b31b644b7d20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_net_check.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106926, "scanner": "repobility-ast-engine", "fingerprint": "2051722a03269f0743d4400e37b9c48fa871f1000662a19d57c02e5d9fc4f3a9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2051722a03269f0743d4400e37b9c48fa871f1000662a19d57c02e5d9fc4f3a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_net_check.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106925, "scanner": "repobility-ast-engine", "fingerprint": "6cda63f3675d5bbd66586c7e2903fdea4fd3712e2aa02eb228845ac60808b1d5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6cda63f3675d5bbd66586c7e2903fdea4fd3712e2aa02eb228845ac60808b1d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_net_check.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106924, "scanner": "repobility-ast-engine", "fingerprint": "2927768fdd871e2d5ab8b252876f9d7c1d2123e0e883798bc3114571618fac84", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2927768fdd871e2d5ab8b252876f9d7c1d2123e0e883798bc3114571618fac84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_fix3.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106923, "scanner": "repobility-ast-engine", "fingerprint": "e8ede737860f9ab88928929e7ce80b13a302e7d25d6846033e97c78a1a9c8c2d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e8ede737860f9ab88928929e7ce80b13a302e7d25d6846033e97c78a1a9c8c2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106922, "scanner": "repobility-ast-engine", "fingerprint": "e9955c2467cb43f204109bdc2e66674f80a49949a40b288286471b953cd2f2d4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e9955c2467cb43f204109bdc2e66674f80a49949a40b288286471b953cd2f2d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 646}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106921, "scanner": "repobility-ast-engine", "fingerprint": "04193d989a8aab8b8f0482efdf1700fa71b0bc8f34238b3341a7d515c8c4ba88", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|04193d989a8aab8b8f0482efdf1700fa71b0bc8f34238b3341a7d515c8c4ba88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 619}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106920, "scanner": "repobility-ast-engine", "fingerprint": "9eaa3925f39936ce55344ac2f72822499d9df6840455297757838f57a3663297", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9eaa3925f39936ce55344ac2f72822499d9df6840455297757838f57a3663297"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 603}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106919, "scanner": "repobility-ast-engine", "fingerprint": "698c4c9febe81f0e751ea13ca97ba595ea3d6c07765c3f0b7e957c55c3be54d1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|698c4c9febe81f0e751ea13ca97ba595ea3d6c07765c3f0b7e957c55c3be54d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 587}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106918, "scanner": "repobility-ast-engine", "fingerprint": "156ef78520e55bb4615119403f60f99c55a95169bd486ddea2bcc44d99f7cafb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|156ef78520e55bb4615119403f60f99c55a95169bd486ddea2bcc44d99f7cafb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 580}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106917, "scanner": "repobility-ast-engine", "fingerprint": "ef9e0fdbab3b85d1427b84d5de3207330b42c8d3148630d2c2d59f9cc92f638b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ef9e0fdbab3b85d1427b84d5de3207330b42c8d3148630d2c2d59f9cc92f638b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 572}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106916, "scanner": "repobility-ast-engine", "fingerprint": "7460f35f7c213d77a2956158af03362585019a4ef3c8574c34e2aab5863308ab", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7460f35f7c213d77a2956158af03362585019a4ef3c8574c34e2aab5863308ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 106915, "scanner": "repobility-ast-engine", "fingerprint": "7fc30274a912915e2fdb9d63870acb785a0fa71a227b22b76f0fe678b0f269c1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7fc30274a912915e2fdb9d63870acb785a0fa71a227b22b76f0fe678b0f269c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 106871, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39aac8134c24be222778645a26f08950d88e573a4863d71a5830eb918da9477f", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "fix", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|39aac8134c24be222778645a26f08950d88e573a4863d71a5830eb918da9477f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_fix.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 106870, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45e2300388082b501d21063a7984add562861201b5c7f3254fdcb0e1b8819d11", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "fix", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|45e2300388082b501d21063a7984add562861201b5c7f3254fdcb0e1b8819d11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_final_deep_fix.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 106869, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58ccc730e92c0804836b7c5cfc0ec51d838017e890321c949f0433cf5e73dab8", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "fix", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|58ccc730e92c0804836b7c5cfc0ec51d838017e890321c949f0433cf5e73dab8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_apply_cascade_tabs_fix.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 106868, "scanner": "repobility-ai-code-hygiene", "fingerprint": "193266746c7474f48d4852d920d1e759db7812688d6f9dd20a01ec79ca51a3af", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "fix", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|193266746c7474f48d4852d920d1e759db7812688d6f9dd20a01ec79ca51a3af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_fix.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 532 lines (recommend <300)"}, "properties": {"repobilityId": 106862, "scanner": "repobility-core", "fingerprint": "a24da8c4bde9e04216d892aa2d1e77143a852e7a3f3a44d6422e3cc956f56201", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|a24da8c4bde9e04216d892aa2d1e77143a852e7a3f3a44d6422e3cc956f56201"}}}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 107130, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 107129, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 107097, "scanner": "repobility-threat-engine", "fingerprint": "069b9948744f52ea0aa84cc11f07f61f6fa232f1d4861adee2cb8050f398caf4", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.path.exists(obs_path):\n    with open(obs_path, \"r\") as f:\n        obs = json.load(f)\n    for k in", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|069b9948744f52ea0aa84cc11f07f61f6fa232f1d4861adee2cb8050f398caf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/full_deploy.py"}, "region": {"startLine": 239}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `check_and_clean` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=2, if=2, nested_bonus=5."}, "properties": {"repobilityId": 107095, "scanner": "repobility-threat-engine", "fingerprint": "1c616b76179c737f187b0be9e09fc3ce846238915094241aa162932df469c9ca", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "check_and_clean", "breakdown": {"if": 2, "for": 2, "except": 1, "nested_bonus": 5}, "complexity": 10, "correlation_key": "fp|1c616b76179c737f187b0be9e09fc3ce846238915094241aa162932df469c9ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/proxy_guard.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `get_state_size` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=2, for=2, if=1, nested_bonus=2, ternary=1."}, "properties": {"repobilityId": 107094, "scanner": "repobility-threat-engine", "fingerprint": "aca431d05645db42b83a8957d02b15976bb11dafccdae49b558ce5a813866e5d", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_state_size", "breakdown": {"if": 1, "for": 2, "except": 2, "ternary": 1, "nested_bonus": 2}, "complexity": 8, "correlation_key": "fp|aca431d05645db42b83a8957d02b15976bb11dafccdae49b558ce5a813866e5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_trajectory_guard.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 107035, "scanner": "repobility-threat-engine", "fingerprint": "bfc9f30ae68318431b3706f259146f7931e58483b00f156e39f352000ba40985", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'ms (roundtrip ' + dt + 'ms) ---'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bfc9f30ae68318431b3706f259146f7931e58483b00f156e39f352000ba40985"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/brain.js"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 107034, "scanner": "repobility-threat-engine", "fingerprint": "715c9cbe892adabe292be27290dadd229cbad863e3adf314a266bd85431111d8", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Trial\u8d26\u53f7(overageActive=\" + overageActive + \")\u901a\u8fc7LSP\u8def\u5f84 - \u96f6\u5168\u5c40\u9650\u901f\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|715c9cbe892adabe292be27290dadd229cbad863e3adf314a266bd85431111d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_yin194_helper.js"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 107033, "scanner": "repobility-threat-engine", "fingerprint": "d4d9dd0782e992fa2b9c349a8c7d8aab226e93736471ebbe2569b77e5be656e0", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"[nano] PORT=\"+PORT+\" TOKEN=\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d4d9dd0782e992fa2b9c349a8c7d8aab226e93736471ebbe2569b77e5be656e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "130-\u9053\u72ec\u7acb\u4f53_Standalone/01-VM/vm-side/dao_nano_public.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@vscode/vsce` is minor version(s) behind (^3.6.0 -> 3.9.2)"}, "properties": {"repobilityId": 106978, "scanner": "repobility-dependency-currency", "fingerprint": "93be51d7d68e14d0b65b50e6c5143c96c966e2f902e9a2993af585bff0aaafe1", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vscode/vsce", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.9.2", "correlation_key": "fp|93be51d7d68e14d0b65b50e6c5143c96c966e2f902e9a2993af585bff0aaafe1", "current_version": "^3.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dao-proxy-min/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/vscode` is minor version(s) behind (^1.84.0 -> 1.120.0)"}, "properties": {"repobilityId": 106977, "scanner": "repobility-dependency-currency", "fingerprint": "eb26564dfe53c940a0d4eb51bc59acaeeec93cc056181e841b69d632d0dd2682", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/vscode", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.120.0", "correlation_key": "fp|eb26564dfe53c940a0d4eb51bc59acaeeec93cc056181e841b69d632d0dd2682", "current_version": "^1.84.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dao-proxy-min/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `postcss` is minor version(s) behind (8.4.31 -> 8.5.15)"}, "properties": {"repobilityId": 106976, "scanner": "repobility-dependency-currency", "fingerprint": "da1a2cb45598486a35fcf44d66469493840aa66c4599dccd630d4e97abef967d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "postcss", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.5.15", "correlation_key": "fp|da1a2cb45598486a35fcf44d66469493840aa66c4599dccd630d4e97abef967d", "current_version": "8.4.31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `autoprefixer` is minor version(s) behind (10.4.24 -> 10.5.0)"}, "properties": {"repobilityId": 106975, "scanner": "repobility-dependency-currency", "fingerprint": "8dc5c4922d054125d92b36756377a05cd82d56f6dcda545cd265136f9faade15", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "autoprefixer", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "10.5.0", "correlation_key": "fp|8dc5c4922d054125d92b36756377a05cd82d56f6dcda545cd265136f9faade15", "current_version": "10.4.24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `ws` is minor version(s) behind (8.19.0 -> 8.21.0)"}, "properties": {"repobilityId": 106973, "scanner": "repobility-dependency-currency", "fingerprint": "42bc58fd9922cd75ee5f6159e162dc860bcc10ffeedab58904bfb0968530164f", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "ws", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.21.0", "correlation_key": "fp|42bc58fd9922cd75ee5f6159e162dc860bcc10ffeedab58904bfb0968530164f", "current_version": "8.19.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@vscode/vsce` is minor version(s) behind (^3.6.0 -> 3.9.2)"}, "properties": {"repobilityId": 106972, "scanner": "repobility-dependency-currency", "fingerprint": "f7078ad71f86d4b8d6cec9fd48f24c5eaad388888dc6178fd38aa77d686e0c28", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vscode/vsce", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.9.2", "correlation_key": "fp|f7078ad71f86d4b8d6cec9fd48f24c5eaad388888dc6178fd38aa77d686e0c28", "current_version": "^3.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/070-\u63d2\u4ef6_Plugins/020-\u9053VSIX_DaoAgi/dao-proxy-min/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/vscode` is minor version(s) behind (^1.84.0 -> 1.120.0)"}, "properties": {"repobilityId": 106971, "scanner": "repobility-dependency-currency", "fingerprint": "f0af34bf2256856579f015faed7a2135b1d6fbcc6caa1d061f0511f8c3ecaba6", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/vscode", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.120.0", "correlation_key": "fp|f0af34bf2256856579f015faed7a2135b1d6fbcc6caa1d061f0511f8c3ecaba6", "current_version": "^1.84.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/070-\u63d2\u4ef6_Plugins/020-\u9053VSIX_DaoAgi/dao-proxy-min/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@vscode/vsce` is minor version(s) behind (^3.6.0 -> 3.9.2)"}, "properties": {"repobilityId": 106970, "scanner": "repobility-dependency-currency", "fingerprint": "bc047efd3ebe2aec0b5d70d24d693679983d1525bacde5056cc7422ceb105de2", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vscode/vsce", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.9.2", "correlation_key": "fp|bc047efd3ebe2aec0b5d70d24d693679983d1525bacde5056cc7422ceb105de2", "current_version": "^3.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/070-\u63d2\u4ef6_Plugins/020-\u9053VSIX_DaoAgi/dao-proxy-max/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/vscode` is minor version(s) behind (^1.84.0 -> 1.120.0)"}, "properties": {"repobilityId": 106969, "scanner": "repobility-dependency-currency", "fingerprint": "93545adefcdfdaae853ca6791b9ca3a2ed24d509c3154cb0debb7d4c9e5aece3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/vscode", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.120.0", "correlation_key": "fp|93545adefcdfdaae853ca6791b9ca3a2ed24d509c3154cb0debb7d4c9e5aece3", "current_version": "^1.84.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/070-\u63d2\u4ef6_Plugins/020-\u9053VSIX_DaoAgi/dao-proxy-max/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 106896, "scanner": "repobility-ai-code-hygiene", "fingerprint": "96cb0854387130bad27735e3d6d98749076dcbb2f778a86987b2dce6b2152486", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "ok", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/\u8bca\u65ad.py", "correlation_key": "fp|96cb0854387130bad27735e3d6d98749076dcbb2f778a86987b2dce6b2152486"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_final_deep_fix.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 106895, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cbed6670c372d68c969b3d23ec307f53b5234e0d6eaf946ad7fbe350784f510d", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "ex", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_dao.py", "correlation_key": "fp|cbed6670c372d68c969b3d23ec307f53b5234e0d6eaf946ad7fbe350784f510d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_fix.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106894, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70d674afc8c696d09ea545c5550e20fbcbbc39eb47fa4a1e53e51fa7895fb37e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/dao_bootstrap.js", "duplicate_line": 46, "correlation_key": "fp|70d674afc8c696d09ea545c5550e20fbcbbc39eb47fa4a1e53e51fa7895fb37e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dao_github_sync.js"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106893, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da07d773fb802cee4576b53b61425e7631a446b84991bdbc032a71b14b448fe8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/dao-vm/vm_direct.js", "duplicate_line": 151, "correlation_key": "fp|da07d773fb802cee4576b53b61425e7631a446b84991bdbc032a71b14b448fe8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dao-vm/vm_up.js"}, "region": {"startLine": 394}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106892, "scanner": "repobility-ai-code-hygiene", "fingerprint": "94eaa74a25ad2a9304a7cb57c3016f8c0d81224d158bd9ce6198c666fb2adb4f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/dao-injector/extension/inject.js", "duplicate_line": 28, "correlation_key": "fp|94eaa74a25ad2a9304a7cb57c3016f8c0d81224d158bd9ce6198c666fb2adb4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dao-injector/userscript/dao-devin-sp-inject.user.js"}, "region": {"startLine": 52}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106891, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1b03d3274bc13217020ac158a00407b8c9bc3c2db20b5be507b56bb2dad19edd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/130-\u9053\u72ec\u7acb\u4f53_Standalone/05-GitHub/_hdougle_\u6d4b\u8bd5/lj_verify.js", "duplicate_line": 72, "correlation_key": "fp|1b03d3274bc13217020ac158a00407b8c9bc3c2db20b5be507b56bb2dad19edd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/130-\u9053\u72ec\u7acb\u4f53_Standalone/05-GitHub/_hdougle_\u6d4b\u8bd5/verify_pat.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106890, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fced5ed82f8f7eded8f7f07111551143d05c9ddfd7d0aeea291b4bc332e5f8c5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/130-\u9053\u72ec\u7acb\u4f53_Standalone/05-GitHub/_hdougle_\u6d4b\u8bd5/chat_nostream.js", "duplicate_line": 16, "correlation_key": "fp|fced5ed82f8f7eded8f7f07111551143d05c9ddfd7d0aeea291b4bc332e5f8c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/130-\u9053\u72ec\u7acb\u4f53_Standalone/05-GitHub/_hdougle_\u6d4b\u8bd5/chat_via_proxy.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106889, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0182b3dea304821a4dc6a665eded70c72bfcc3ceaf31bfc23cfc00ab6972aae8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/full_deploy.py", "duplicate_line": 19, "correlation_key": "fp|0182b3dea304821a4dc6a665eded70c72bfcc3ceaf31bfc23cfc00ab6972aae8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/inject_zyk.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106888, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a7cd2048fa76afccc0ff787b240c2ece3799dbc9ab483192cd15f1fd866ff549", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/inject_admin.py", "duplicate_line": 14, "correlation_key": "fp|a7cd2048fa76afccc0ff787b240c2ece3799dbc9ab483192cd15f1fd866ff549"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/inject_zyk.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106887, "scanner": "repobility-ai-code-hygiene", "fingerprint": "908d39e3e909a6ae023d5e6fdaee8e0035a290b1aab08501b06c48dd53c37040", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/full_deploy.py", "duplicate_line": 23, "correlation_key": "fp|908d39e3e909a6ae023d5e6fdaee8e0035a290b1aab08501b06c48dd53c37040"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/inject_admin.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106886, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8303ca17463600f0f463ebb44f424c9e6cd25a21ff9ba03a57e9136fb97a032e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_cascade_flow.js", "duplicate_line": 28, "correlation_key": "fp|8303ca17463600f0f463ebb44f424c9e6cd25a21ff9ba03a57e9136fb97a032e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_raw_chat.js"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106885, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e0bd5314bf5ae534b2ada3b5c840525bd4c533053be50f46dbbd2785159daf33", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_minimal.js", "duplicate_line": 8, "correlation_key": "fp|e0bd5314bf5ae534b2ada3b5c840525bd4c533053be50f46dbbd2785159daf33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_raw_chat.js"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106884, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e370cb5da7664f6c266c1b92ee64e1c8aedfe981bc357294423ba7b5719bd851", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_chat.js", "duplicate_line": 35, "correlation_key": "fp|e370cb5da7664f6c266c1b92ee64e1c8aedfe981bc357294423ba7b5719bd851"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_json.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106883, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76b83acb18c745664559b3815025253829afc33436e03a5fbf90e30f3dc76a53", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_cascade_flow.js", "duplicate_line": 17, "correlation_key": "fp|76b83acb18c745664559b3815025253829afc33436e03a5fbf90e30f3dc76a53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_json.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106882, "scanner": "repobility-ai-code-hygiene", "fingerprint": "40f26f19a4b510b0094c9a64be24d2c74397dc1c4bfbb1575f1f3b4d7633c851", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_cascade_flow.js", "duplicate_line": 30, "correlation_key": "fp|40f26f19a4b510b0094c9a64be24d2c74397dc1c4bfbb1575f1f3b4d7633c851"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_chat_methods.js"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106881, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e473da8f8a5939bf1a038d62f9afcdfcf2fd60fe9968be3f3c57284566ba8845", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_chat.js", "duplicate_line": 15, "correlation_key": "fp|e473da8f8a5939bf1a038d62f9afcdfcf2fd60fe9968be3f3c57284566ba8845"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_chat_methods.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106880, "scanner": "repobility-ai-code-hygiene", "fingerprint": "783a22aecf777af2477132d6846ed0e64e576ffae582736bf332946f36e610bc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_cascade_flow.js", "duplicate_line": 17, "correlation_key": "fp|783a22aecf777af2477132d6846ed0e64e576ffae582736bf332946f36e610bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_chat.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106879, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a194d5e664cd1df21f05c7caab98615894ca76d67332c4ec2192b490263e4b69", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_fix.py", "duplicate_line": 2, "correlation_key": "fp|a194d5e664cd1df21f05c7caab98615894ca76d67332c4ec2192b490263e4b69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_quick.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106878, "scanner": "repobility-ai-code-hygiene", "fingerprint": "686fda518fb2060cb7eef3ef6dc25508a1fa202d1b7cd37f13f2a84bb81b3ea3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_fix.py", "duplicate_line": 3, "correlation_key": "fp|686fda518fb2060cb7eef3ef6dc25508a1fa202d1b7cd37f13f2a84bb81b3ea3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_fix3.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106877, "scanner": "repobility-ai-code-hygiene", "fingerprint": "17b7f90d66aca960ac8e105284b06fcdae61046dbd0603019581cc28eb9e5804", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_fix2.py", "duplicate_line": 2, "correlation_key": "fp|17b7f90d66aca960ac8e105284b06fcdae61046dbd0603019581cc28eb9e5804"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_fix3.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106876, "scanner": "repobility-ai-code-hygiene", "fingerprint": "75bae436f43edd0363f685fbdb5337ce4bbc83efa113d90c3e7a3731b79d73b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_fix.py", "duplicate_line": 3, "correlation_key": "fp|75bae436f43edd0363f685fbdb5337ce4bbc83efa113d90c3e7a3731b79d73b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_fix2.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106875, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dd65cda6844fd04de70d3a2abfc37b42e807b563569b8399fa9e4f0515c3f736", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_fix.py", "duplicate_line": 2, "correlation_key": "fp|dd65cda6844fd04de70d3a2abfc37b42e807b563569b8399fa9e4f0515c3f736"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_dao.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106874, "scanner": "repobility-ai-code-hygiene", "fingerprint": "645157fc292e677d763facc7a0ddc7fb4c8f620159d90328884f497b4df32f06", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_diag_179_statedb.js", "duplicate_line": 1, "correlation_key": "fp|645157fc292e677d763facc7a0ddc7fb4c8f620159d90328884f497b4df32f06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_diag_editor_state.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106873, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c512d878d60cdc677697ca44f636cd6fdb7dcce95a8f2b1ada3ea48561d643f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/030-\u989d\u5ea6_Credits/\u4e34\u65f6\u8d26\u53f7\u798f\u5229/dao_credit_check.js", "duplicate_line": 46, "correlation_key": "fp|1c512d878d60cdc677697ca44f636cd6fdb7dcce95a8f2b1ada3ea48561d643f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/030-\u989d\u5ea6_Credits/\u4e34\u65f6\u8d26\u53f7\u798f\u5229/dao_credit_force.js"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 106872, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0da78bf1363730ecd590b760d37f88b7dfd7008562668564a5068b6b2fe33600", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Windsurf\u4e07\u6cd5\u5f52\u5b97/010-\u53cd\u4ee3_Proxy/dao-agent/setup.js", "duplicate_line": 10, "correlation_key": "fp|0da78bf1363730ecd590b760d37f88b7dfd7008562668564a5068b6b2fe33600"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/010-\u53cd\u4ee3_Proxy/dao-agent/unwind.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 106867, "scanner": "repobility-ai-code-hygiene", "fingerprint": "504bb8a24352d8ddbaee69a46fe2454352e6836e3c6a4b0282532812c56aed87", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "fix", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|504bb8a24352d8ddbaee69a46fe2454352e6836e3c6a4b0282532812c56aed87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_fix.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 106866, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f2016a0e3936cf723b3e9950a91fa0b4acb9bbcde79616a2846b50a722873cc", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "fix", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|3f2016a0e3936cf723b3e9950a91fa0b4acb9bbcde79616a2846b50a722873cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_final_deep_fix.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 106865, "scanner": "repobility-ai-code-hygiene", "fingerprint": "75cc8f9e9dfa94c8eab2760f54904923089580dcf8de50115b780e95ed870ce6", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "fix", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|75cc8f9e9dfa94c8eab2760f54904923089580dcf8de50115b780e95ed870ce6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_apply_cascade_tabs_fix.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 106864, "scanner": "repobility-ai-code-hygiene", "fingerprint": "35286a6b2b6a0627b5d47fe5baf3b7f5c57a62ae5fc3799e4456cd6c6865eaca", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "fix", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|35286a6b2b6a0627b5d47fe5baf3b7f5c57a62ae5fc3799e4456cd6c6865eaca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_fix.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC006", "level": "note", "message": {"text": "Archive or legacy directory is mixed into the active repository root"}, "properties": {"repobilityId": 106863, "scanner": "repobility-ai-code-hygiene", "fingerprint": "71e6b03d6b2249a3e748e64635893588c39cd2ae260f382d5dfa735904573f34", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains an archive/legacy directory name.", "evidence": {"rule_id": "AIC006", "scanner": "repobility-ai-code-hygiene", "directory": "_archive", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|71e6b03d6b2249a3e748e64635893588c39cd2ae260f382d5dfa735904573f34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_archive"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 107106, "scanner": "repobility-threat-engine", "fingerprint": "736f0659160691a3c72afd93a4bbbe624e21e45ae7e4a16f669b92aeac7366bf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|736f0659160691a3c72afd93a4bbbe624e21e45ae7e4a16f669b92aeac7366bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dao-injector/extension/inject.js"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 107099, "scanner": "repobility-threat-engine", "fingerprint": "4122966b2c049eefe59853bd1a309894fb86489d8bda7bdf14166bc38421d5f1", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4122966b2c049eefe59853bd1a309894fb86489d8bda7bdf14166bc38421d5f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/fb_test.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 107096, "scanner": "repobility-threat-engine", "fingerprint": "29306b5028b90ab8087937c717cb745fd7e07ab4ccb4b2237f19cccb49788ca3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "cleanup_trajectories", "breakdown": {"if": 8, "for": 3, "elif": 3, "else": 1, "except": 4, "nested_bonus": 17}, "aggregated": true, "complexity": 36, "correlation_key": "fp|29306b5028b90ab8087937c717cb745fd7e07ab4ccb4b2237f19cccb49788ca3", "aggregated_count": 9}}}, {"ruleId": "SEC049", "level": "none", "message": {"text": "[SEC049] GCP API key (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 107089, "scanner": "repobility-threat-engine", "fingerprint": "22453f079768394b6b9babe884a27be095c64aafee3b49a0e0bba7f8e2b0ce41", "category": "secret", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC049", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|22453f079768394b6b9babe884a27be095c64aafee3b49a0e0bba7f8e2b0ce41"}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "properties": {"repobilityId": 107085, "scanner": "repobility-threat-engine", "fingerprint": "e2d6fe83e6119ea485cab394cf9959589330f89c66dc1c2fecb9ad7d7c8eebe1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e2d6fe83e6119ea485cab394cf9959589330f89c66dc1c2fecb9ad7d7c8eebe1"}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 107078, "scanner": "repobility-threat-engine", "fingerprint": "15bb2bf8fd9895e22dd5ed5ac02934d33277597f4af1b8fa48c7b063b9c43e0b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15bb2bf8fd9895e22dd5ed5ac02934d33277597f4af1b8fa48c7b063b9c43e0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/\u5b98\u65b9\u6a21\u5f0f\u56de\u5f52.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 107077, "scanner": "repobility-threat-engine", "fingerprint": "deb9dd36e2d20ffa3eed0356aef1552e4b08a7f550fa7adbce2ca20256d0d895", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|deb9dd36e2d20ffa3eed0356aef1552e4b08a7f550fa7adbce2ca20256d0d895"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_trajectory_guard.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 107076, "scanner": "repobility-threat-engine", "fingerprint": "8e4467f6fa6cced5c9eaec4ff96fc0a59c05ca9ad71f73d0371a3e0472bc55f2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8e4467f6fa6cced5c9eaec4ff96fc0a59c05ca9ad71f73d0371a3e0472bc55f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_deep_probe.py"}, "region": {"startLine": 273}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 107072, "scanner": "repobility-threat-engine", "fingerprint": "e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 107068, "scanner": "repobility-threat-engine", "fingerprint": "b33b9fa30193bee8937fded79de0a89e3cbc0227353c6d1fa8988e662e74e331", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b33b9fa30193bee8937fded79de0a89e3cbc0227353c6d1fa8988e662e74e331"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 107067, "scanner": "repobility-threat-engine", "fingerprint": "26219bcfccf85968de153fb7906134714104b490de9fa600d7db9f19da83b3bb", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|windsurf /060- _repair token|66|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_json.js"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 107066, "scanner": "repobility-threat-engine", "fingerprint": "8b8336eefeec73fb26316c9da784dd5c3cbdb92c716b7412a88161c9d8d5fe42", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|windsurf /060- _repair token|8|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_dump.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 107065, "scanner": "repobility-threat-engine", "fingerprint": "07b9cda241b238db98e3dd5836cf283b4336d4577917711846a9c4dbe0a80e54", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|windsurf /060- _repair/_build_server.js|155|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_build_server.js"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 107064, "scanner": "repobility-threat-engine", "fingerprint": "2ac03ad11831141dc91534de5bedcefe1c1c1d92ed9ec96fb0f7eef383944d04", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ac03ad11831141dc91534de5bedcefe1c1c1d92ed9ec96fb0f7eef383944d04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_fix.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 107063, "scanner": "repobility-threat-engine", "fingerprint": "815f8c158b89581ff902253a9d05631e56adcbe698c61bbf47313a44cb66ee76", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|815f8c158b89581ff902253a9d05631e56adcbe698c61bbf47313a44cb66ee76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_db_diag.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 107062, "scanner": "repobility-threat-engine", "fingerprint": "ed2a4a35eb7aa8a7be20b99524de3fc7e34e1bae6cbce71b0dea3a7370a7b281", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ed2a4a35eb7aa8a7be20b99524de3fc7e34e1bae6cbce71b0dea3a7370a7b281", "aggregated_count": 4}}}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 107061, "scanner": "repobility-threat-engine", "fingerprint": "41c3b90dd0f127eb90881836d1b5f59500012b1f9b31136e5be964840d0af8c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41c3b90dd0f127eb90881836d1b5f59500012b1f9b31136e5be964840d0af8c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/check_wam.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 107060, "scanner": "repobility-threat-engine", "fingerprint": "b5805338ca52a6fbd663180d50c5a13f212602c6c3dfa2901a1e5736b7ec0020", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b5805338ca52a6fbd663180d50c5a13f212602c6c3dfa2901a1e5736b7ec0020"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_fix.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 107059, "scanner": "repobility-threat-engine", "fingerprint": "9282ef77aa2e85864593a6e921a4c2734d71252769e51333ffc9417923c02cf3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9282ef77aa2e85864593a6e921a4c2734d71252769e51333ffc9417923c02cf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_db_diag.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED021", "level": "none", "message": {"text": "[MINED021] Path Traversal Os Join (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 107058, "scanner": "repobility-threat-engine", "fingerprint": "8bd0880d9cacfb934f4e56e318d337296485b0f4650a0d26bbb6eba84ccf7d05", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8bd0880d9cacfb934f4e56e318d337296485b0f4650a0d26bbb6eba84ccf7d05", "aggregated_count": 9}}}, {"ruleId": "MINED014", "level": "none", "message": {"text": "[MINED014] Disabled Tls Verify (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 107054, "scanner": "repobility-threat-engine", "fingerprint": "d4059a0f0292b9e989447cef01cd0da25658f2c0442fe905076819613983fd29", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d4059a0f0292b9e989447cef01cd0da25658f2c0442fe905076819613983fd29", "aggregated_count": 5}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 107050, "scanner": "repobility-threat-engine", "fingerprint": "cab71e3e0d858a3b16cef86155b5a70720336ed5d7b2fcc3b519bb449894bd76", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|cab71e3e0d858a3b16cef86155b5a70720336ed5d7b2fcc3b519bb449894bd76"}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 107046, "scanner": "repobility-threat-engine", "fingerprint": "e4ebaed24a9bca837779c91c3b94586e8acdcaae4177b040d20bc1e9a6a756a0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e4ebaed24a9bca837779c91c3b94586e8acdcaae4177b040d20bc1e9a6a756a0", "aggregated_count": 16}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 107045, "scanner": "repobility-threat-engine", "fingerprint": "2dc39d67b5a7358763a6dcfdb036915aebde838fc211e2b9c7fca321e959fdc9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2dc39d67b5a7358763a6dcfdb036915aebde838fc211e2b9c7fca321e959fdc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_lt_sys.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 107044, "scanner": "repobility-threat-engine", "fingerprint": "ec1436bbef9bd1d05055a3342d44ebc5e8a242bc0d493a162f34fd467d5a934a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ec1436bbef9bd1d05055a3342d44ebc5e8a242bc0d493a162f34fd467d5a934a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_laptop_diag.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 107043, "scanner": "repobility-threat-engine", "fingerprint": "62018062c363a9817bd38a97dd563051d20712a99c44b267550b44d4f0bf7430", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62018062c363a9817bd38a97dd563051d20712a99c44b267550b44d4f0bf7430"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "130-\u9053\u72ec\u7acb\u4f53_Standalone/01-VM/vm-side/dao_nano_public.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 79 more): Same pattern found in 79 additional files. Review if needed."}, "properties": {"repobilityId": 107042, "scanner": "repobility-threat-engine", "fingerprint": "9badea7fe33b488ef199af23745bf3df7834c2c9eaf2dfef7251c6b2fc545ae0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 79 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9badea7fe33b488ef199af23745bf3df7834c2c9eaf2dfef7251c6b2fc545ae0", "aggregated_count": 79}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 107041, "scanner": "repobility-threat-engine", "fingerprint": "7f8945e9383677ebc2094e1bb7a9e394117ab1cbe8d4a8a493a18be8975484bd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7f8945e9383677ebc2094e1bb7a9e394117ab1cbe8d4a8a493a18be8975484bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/010-\u53cd\u4ee3_Proxy/dao-agent/unwind.js"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 107040, "scanner": "repobility-threat-engine", "fingerprint": "3faa875a19987fa2387b2729b60214045d21b520cb3f5c6e811d11b061ed23e5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3faa875a19987fa2387b2729b60214045d21b520cb3f5c6e811d11b061ed23e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/010-\u53cd\u4ee3_Proxy/dao-agent/setup.js"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 107039, "scanner": "repobility-threat-engine", "fingerprint": "d1f797c5a73010c78cdee93e14fde600628cf00a69ec14dcb446e65f541da152", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d1f797c5a73010c78cdee93e14fde600628cf00a69ec14dcb446e65f541da152"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "130-\u9053\u72ec\u7acb\u4f53_Standalone/01-VM/vm-side/dao_nano_public.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 107038, "scanner": "repobility-threat-engine", "fingerprint": "b2252259037f5814072ac5c150cf05ce33ca408e8ae24e2724e72e455e07ef15", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b2252259037f5814072ac5c150cf05ce33ca408e8ae24e2724e72e455e07ef15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "n.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 107037, "scanner": "repobility-threat-engine", "fingerprint": "d010b34490baeeb7d2fcb09749eb6930efe05f3622a6746471a762bfaf311f47", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d010b34490baeeb7d2fcb09749eb6930efe05f3622a6746471a762bfaf311f47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "130-\u9053\u72ec\u7acb\u4f53_Standalone/01-VM/vm-side/dao_nano_public.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 107036, "scanner": "repobility-threat-engine", "fingerprint": "097d27b2deaca55861bf7fc2fde9b3c1ab45a5a98b541bd572ee8991d2ed26b1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|097d27b2deaca55861bf7fc2fde9b3c1ab45a5a98b541bd572ee8991d2ed26b1"}}}, {"ruleId": "SEC100", "level": "none", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 107032, "scanner": "repobility-threat-engine", "fingerprint": "54fca9d7755070a0bcdd2fd0d7901c558568e2ebe97f44d324816df3c5282639", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|54fca9d7755070a0bcdd2fd0d7901c558568e2ebe97f44d324816df3c5282639"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 107028, "scanner": "repobility-threat-engine", "fingerprint": "606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 107024, "scanner": "repobility-threat-engine", "fingerprint": "b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "properties": {"repobilityId": 107020, "scanner": "repobility-threat-engine", "fingerprint": "a1abc0f73fcbbde4bfde07d3a1caa75668c0f255cd2533e6367562d2e96a50c7", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a1abc0f73fcbbde4bfde07d3a1caa75668c0f255cd2533e6367562d2e96a50c7"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 107016, "scanner": "repobility-threat-engine", "fingerprint": "fbf7f04481457659dfcb414a049ad63894a5cdae4a3cd0dd7ab5cc4c67bc2155", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|fbf7f04481457659dfcb414a049ad63894a5cdae4a3cd0dd7ab5cc4c67bc2155"}}}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 107105, "scanner": "repobility-threat-engine", "fingerprint": "ffe9f204a95c80dd6a0fa720343124058229eed873d2bb937e87111899cb786f", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n    (p) => `cloudflared tunnel --url http://localhost:${p} --no-autoupdate 2>/tmp/cf_${p}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ffe9f204a95c80dd6a0fa720343124058229eed873d2bb937e87111899cb786f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dao-vm/vm_tunnel.js"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 107104, "scanner": "repobility-threat-engine", "fingerprint": "9458403007ab9837a1012f6de04171fa7165171bd86153812206a1803f39b0c7", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((a) => `${a.email}:${a.password}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9458403007ab9837a1012f6de04171fa7165171bd86153812206a1803f39b0c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/130-\u9053\u72ec\u7acb\u4f53_Standalone/05-GitHub/_hdougle_\u6d4b\u8bd5/lj_to_hdougle.js"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 107103, "scanner": "repobility-threat-engine", "fingerprint": "1b0c8d9c190859d94a9478c5af8ec4db7c5301286e9b25b5f48b29434254bc49", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1b0c8d9c190859d94a9478c5af8ec4db7c5301286e9b25b5f48b29434254bc49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/130-\u9053\u72ec\u7acb\u4f53_Standalone/05-GitHub/_hdougle_\u6d4b\u8bd5/dao_hd_set_secret.js"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 107100, "scanner": "repobility-threat-engine", "fingerprint": "ce21c459d7f307ed5ae8513db88ee2f411ea8dddcb5994b9ae34ef270db205c2", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'\"apiServerUrl\"\\s*:\\s*\"([^\"]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|windsurf /060- _repair/ .py|84|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/\u5b98\u65b9\u6a21\u5f0f\u56de\u5f52.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `cleanup_trajectories` has cognitive complexity 36 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=3, else=1, except=4, for=3, if=8, nested_bonus=17."}, "properties": {"repobilityId": 107093, "scanner": "repobility-threat-engine", "fingerprint": "6fa95c935694caed984ae97817a8f37cc6bf34777fc0b08317c9904b41296a9b", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 36 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "cleanup_trajectories", "breakdown": {"if": 8, "for": 3, "elif": 3, "else": 1, "except": 4, "nested_bonus": 17}, "complexity": 36, "correlation_key": "fp|6fa95c935694caed984ae97817a8f37cc6bf34777fc0b08317c9904b41296a9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_trajectory_guard.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 107075, "scanner": "repobility-threat-engine", "fingerprint": "3e114916886a35a23701042c3259ea243aaedb9229613a50e6e0a46682636f9e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e114916886a35a23701042c3259ea243aaedb9229613a50e6e0a46682636f9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/\u5b98\u65b9\u6a21\u5f0f\u56de\u5f52.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 107074, "scanner": "repobility-threat-engine", "fingerprint": "eb4168c6391c57e833c8c41cf3e7e08d237f9c2424c2adf47597fdc2e13b6878", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eb4168c6391c57e833c8c41cf3e7e08d237f9c2424c2adf47597fdc2e13b6878"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_trajectory_guard.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 107073, "scanner": "repobility-threat-engine", "fingerprint": "aa59b63b25887267dd53e9bcb72ad7bf523232996296065b5977b69b42f90098", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa59b63b25887267dd53e9bcb72ad7bf523232996296065b5977b69b42f90098"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_deep_probe.py"}, "region": {"startLine": 272}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 107057, "scanner": "repobility-threat-engine", "fingerprint": "bc85aea8c6847b6dfa3f73c326520773b3c07d37fd88cde43926b6f7ad802ee7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bc85aea8c6847b6dfa3f73c326520773b3c07d37fd88cde43926b6f7ad802ee7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_net_check.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 107056, "scanner": "repobility-threat-engine", "fingerprint": "f7447ac50c9bfade5a00a585816a2b486c9373c9c030d55ba27b595d00ec3482", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f7447ac50c9bfade5a00a585816a2b486c9373c9c030d55ba27b595d00ec3482"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_fix.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 107055, "scanner": "repobility-threat-engine", "fingerprint": "3345cc4ec322db652f2da45b97bd7d632a925b7355d93d22c5eda992f2720a10", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3345cc4ec322db652f2da45b97bd7d632a925b7355d93d22c5eda992f2720a10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_db_diag.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 107053, "scanner": "repobility-threat-engine", "fingerprint": "4447d44001c1c6408331c9a3d799bdd5b7096e5155caffd9473f48d093464eaf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4447d44001c1c6408331c9a3d799bdd5b7096e5155caffd9473f48d093464eaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/130-\u9053\u72ec\u7acb\u4f53_Standalone/05-GitHub/_hdougle_\u6d4b\u8bd5/chat_direct.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 107052, "scanner": "repobility-threat-engine", "fingerprint": "9b3b4c8a563f365812ab7baa8463ca4ccb85802960c9af3e17614745c4524770", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9b3b4c8a563f365812ab7baa8463ca4ccb85802960c9af3e17614745c4524770"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_build_server.js"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 107051, "scanner": "repobility-threat-engine", "fingerprint": "17f1e48bfba74aa9ebc2ab8afd248f5ebc4a2c5f5d96f6a7fa0c0d227febc73e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|17f1e48bfba74aa9ebc2ab8afd248f5ebc4a2c5f5d96f6a7fa0c0d227febc73e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/030-\u989d\u5ea6_Credits/\u4e34\u65f6\u8d26\u53f7\u798f\u5229/dao_credit_check.js"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 107049, "scanner": "repobility-threat-engine", "fingerprint": "92a24521cd841772a0c415b2a3d0f40fd5d29b6be28b9d96b400a7e5e1f38af0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "req.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|92a24521cd841772a0c415b2a3d0f40fd5d29b6be28b9d96b400a7e5e1f38af0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_cascade_flow.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 107048, "scanner": "repobility-threat-engine", "fingerprint": "567d947477acd71569225866538298984d22d428d0a6621f5aa9ce419ce8ca6a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "s.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|567d947477acd71569225866538298984d22d428d0a6621f5aa9ce419ce8ca6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/030-\u989d\u5ea6_Credits/\u4e34\u65f6\u8d26\u53f7\u798f\u5229/dao_credit_check.js"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 107047, "scanner": "repobility-threat-engine", "fingerprint": "40ed67359c37abd30f347fe9ed442a5fe97c359b0b01f222879dc9962e9496c9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "req.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|40ed67359c37abd30f347fe9ed442a5fe97c359b0b01f222879dc9962e9496c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/010-\u53cd\u4ee3_Proxy/dao-agent/setup.js"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 107031, "scanner": "repobility-threat-engine", "fingerprint": "077550e2bdba7c9f4c173063946bafb44a5f46409d4fc628577c2619485d51f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\",\"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|077550e2bdba7c9f4c173063946bafb44a5f46409d4fc628577c2619485d51f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "n.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 107030, "scanner": "repobility-threat-engine", "fingerprint": "233ceb9f8f1fe2c0838517f4c5839e935f96e42b7b51300a9b148000380ebc20", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin', '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|233ceb9f8f1fe2c0838517f4c5839e935f96e42b7b51300a9b148000380ebc20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/gateway.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 107029, "scanner": "repobility-threat-engine", "fingerprint": "fdc5ede3d1a6573da4321e477534f8c10822bf6b58b54cace50d09dec8a76fd0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\",\"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fdc5ede3d1a6573da4321e477534f8c10822bf6b58b54cace50d09dec8a76fd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "130-\u9053\u72ec\u7acb\u4f53_Standalone/01-VM/vm-side/dao_nano_public.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 107027, "scanner": "repobility-threat-engine", "fingerprint": "0dad502ada506316e2228ce4512a695fc2419230590c731ba585f40e03273e6b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0dad502ada506316e2228ce4512a695fc2419230590c731ba585f40e03273e6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_find_request.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 107026, "scanner": "repobility-threat-engine", "fingerprint": "a0c12ac6bc1b60dfaa673759d9bd8ce2e3714aea4744d3735c4ca6c7e9596fc6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a0c12ac6bc1b60dfaa673759d9bd8ce2e3714aea4744d3735c4ca6c7e9596fc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_diag_leveldb_deep.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 107025, "scanner": "repobility-threat-engine", "fingerprint": "99b291ba20ea292fe55731d7dd976b74c565edc8a8009ab758927673aa1af8c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|99b291ba20ea292fe55731d7dd976b74c565edc8a8009ab758927673aa1af8c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "130-\u9053\u72ec\u7acb\u4f53_Standalone/01-VM/vm-side/dao_nano_public.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 107019, "scanner": "repobility-threat-engine", "fingerprint": "69ad04ef931b577951ec265d122699f708a2ebf2689b3b0d909c384b26609ea8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|69ad04ef931b577951ec265d122699f708a2ebf2689b3b0d909c384b26609ea8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_diag_zroliu.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 107018, "scanner": "repobility-threat-engine", "fingerprint": "3b1a6233cd2de22fe47c1dfcabebf449999263df0173c348feb6843d8e8dc241", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.get(R", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3b1a6233cd2de22fe47c1dfcabebf449999263df0173c348feb6843d8e8dc241"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/010-\u53cd\u4ee3_Proxy/dao-agent/setup.js"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 107017, "scanner": "repobility-threat-engine", "fingerprint": "21f478997921ee764bfbfb0075022abad83be9c7180abef5dcd011ce630391d3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|21f478997921ee764bfbfb0075022abad83be9c7180abef5dcd011ce630391d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "130-\u9053\u72ec\u7acb\u4f53_Standalone/01-VM/vm-side/dao_nano_public.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 107015, "scanner": "repobility-threat-engine", "fingerprint": "22ecb815f79d56eaa92c324d2855f43b1712e8c8a1dbe7f8420b2241d2ed13fa", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(\"  active   :\", json.apiKey?.account || \"unknown\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|windsurf /060- _repair/_yin194_helper.js|6|console.log active : json.apikey .account unknown"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_yin194_helper.js"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 107014, "scanner": "repobility-threat-engine", "fingerprint": "b891fec3447ebc89f0e1f733e29391394f7ea043369d0d93a16ad0d08b389158", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "console.log(`LS pid=${ls.pid} port=${ls.port}, apiKey ok=${ak.ok}`)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|windsurf /060- _repair token|5|console.log ls pid ls.pid port ls.port apikey ok ak.ok", "duplicate_count": 1, "duplicate_rule_ids": ["SEC020"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["b891fec3447ebc89f0e1f733e29391394f7ea043369d0d93a16ad0d08b389158", "eddf7ed67f7e5d9d0e86365901bd2b565ebacd22916a470e2e73c99a7fb6e5b0"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_root_analysis/_probe_json.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "AGT003", "level": "error", "message": {"text": "User-editable role instructions are inserted into the system prompt"}, "properties": {"repobilityId": 107013, "scanner": "repobility-agent-runtime", "fingerprint": "231e087ce522ab40c9b70979f339eb4bfe41f3c66ee0e36f85e48f037feb7a82", "category": "llm_injection", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to combine a user-editable role/fleet instruction with system prompt construction without visible bounds or sanitizer.", "evidence": {"rule_id": "AGT003", "scanner": "repobility-agent-runtime", "data_flow": "user_editable_role_to_system_prompt", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|231e087ce522ab40c9b70979f339eb4bfe41f3c66ee0e36f85e48f037feb7a82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/legacy.html"}, "region": {"startLine": 241}}}]}, {"ruleId": "AGT003", "level": "error", "message": {"text": "User-editable role instructions are inserted into the system prompt"}, "properties": {"repobilityId": 107011, "scanner": "repobility-agent-runtime", "fingerprint": "60ba5b5212843862c6d5d49bf4fdd134d027c1a294c3dc8ef822170c2222bd03", "category": "llm_injection", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to combine a user-editable role/fleet instruction with system prompt construction without visible bounds or sanitizer.", "evidence": {"rule_id": "AGT003", "scanner": "repobility-agent-runtime", "data_flow": "user_editable_role_to_system_prompt", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|60ba5b5212843862c6d5d49bf4fdd134d027c1a294c3dc8ef822170c2222bd03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dao_app.js"}, "region": {"startLine": 915}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106968, "scanner": "repobility-supply-chain", "fingerprint": "28bf5f675f1c0370f20e4edf81d019db5a212e0476d5f2d0728223eb577cef5c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|28bf5f675f1c0370f20e4edf81d019db5a212e0476d5f2d0728223eb577cef5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-d.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106967, "scanner": "repobility-supply-chain", "fingerprint": "171540bfb056c298a4bd54a06b44ff0068cb837c44a01fbb9cd25532ec7ef8d4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|171540bfb056c298a4bd54a06b44ff0068cb837c44a01fbb9cd25532ec7ef8d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106966, "scanner": "repobility-supply-chain", "fingerprint": "186077898b2104d6c9814b8cd3b310e1cfc8c529d269448d3bab32e43d8b50c7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|186077898b2104d6c9814b8cd3b310e1cfc8c529d269448d3bab32e43d8b50c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106965, "scanner": "repobility-supply-chain", "fingerprint": "6f32702d287f7f111d0923feb3020967c4186622fcb62e163fc311ba289e7dcb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6f32702d287f7f111d0923feb3020967c4186622fcb62e163fc311ba289e7dcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106964, "scanner": "repobility-supply-chain", "fingerprint": "72e97905c22c23421f0132d08811a3ed43e30c6faa2924e81690eb400b908b83", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|72e97905c22c23421f0132d08811a3ed43e30c6faa2924e81690eb400b908b83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106963, "scanner": "repobility-supply-chain", "fingerprint": "6c12fdf7d18c459182a6d9a7022f0e71275ed810474c70bec86579a27d2aaa02", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c12fdf7d18c459182a6d9a7022f0e71275ed810474c70bec86579a27d2aaa02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106962, "scanner": "repobility-supply-chain", "fingerprint": "df45e587a62a93ca6e7719e115f8bf0b4f239aff54cc0db691f96c6be309682e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df45e587a62a93ca6e7719e115f8bf0b4f239aff54cc0db691f96c6be309682e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106961, "scanner": "repobility-supply-chain", "fingerprint": "10bb0e3c8087ce0e2bff16b8f1094764bb1f2724bc4d40b554f2ebd819796b9e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10bb0e3c8087ce0e2bff16b8f1094764bb1f2724bc4d40b554f2ebd819796b9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-c.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106960, "scanner": "repobility-supply-chain", "fingerprint": "b89f06870f7726801267e28da2a635a6ab020e1fb975e6b0066a69f27ecc243f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b89f06870f7726801267e28da2a635a6ab020e1fb975e6b0066a69f27ecc243f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-c.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106959, "scanner": "repobility-supply-chain", "fingerprint": "2c1ebe47394ece16abccdaa0a97fbc81b38da6dd738ca14b870306bb9b3a9e04", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c1ebe47394ece16abccdaa0a97fbc81b38da6dd738ca14b870306bb9b3a9e04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-boot.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106958, "scanner": "repobility-supply-chain", "fingerprint": "57f8cba9cb6b6ab9092aea3a78b71d976949709b73cf0f34effb884bb273101c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57f8cba9cb6b6ab9092aea3a78b71d976949709b73cf0f34effb884bb273101c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-boot.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106957, "scanner": "repobility-supply-chain", "fingerprint": "0deacca5ea6b45215e5155644d689ddf2862df7bc7ea552da5a1b0a9b312e5a3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0deacca5ea6b45215e5155644d689ddf2862df7bc7ea552da5a1b0a9b312e5a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-fleet-cloud.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106956, "scanner": "repobility-supply-chain", "fingerprint": "85bef9a5f7e629e461f98634deea02ebe53f6a4514ebd99bcda600c2f94c33ac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|85bef9a5f7e629e461f98634deea02ebe53f6a4514ebd99bcda600c2f94c33ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-fleet-cloud.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 106955, "scanner": "repobility-supply-chain", "fingerprint": "2b50e9842775221b7718a14f482a170dd4589cfd65fa8e321725c44733a436ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b50e9842775221b7718a14f482a170dd4589cfd65fa8e321725c44733a436ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/_enable_pages_once.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106954, "scanner": "repobility-supply-chain", "fingerprint": "a9be6e9d6a6fdbf035f3362a1c733e3a00fa4829b02d9a8fe659b7e72f4d4091", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a9be6e9d6a6fdbf035f3362a1c733e3a00fa4829b02d9a8fe659b7e72f4d4091"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-main-shell.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106953, "scanner": "repobility-supply-chain", "fingerprint": "37c36605b06e7c158298e73bb1fbb6e00e6375f1e3ddc483d49a6305165b5a04", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37c36605b06e7c158298e73bb1fbb6e00e6375f1e3ddc483d49a6305165b5a04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-a.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106952, "scanner": "repobility-supply-chain", "fingerprint": "fffb72928f0b04987009841b29decc6a6d137e4323208dd7e133f4820f1a4633", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fffb72928f0b04987009841b29decc6a6d137e4323208dd7e133f4820f1a4633"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-a.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106951, "scanner": "repobility-supply-chain", "fingerprint": "a0bf09ebefaded4c3290d6febdeaeb482b9dd68bde3ece2b4e812a2393b31f17", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a0bf09ebefaded4c3290d6febdeaeb482b9dd68bde3ece2b4e812a2393b31f17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-free-loop.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106950, "scanner": "repobility-supply-chain", "fingerprint": "e99a2295ed088bcb486bd3d3309328fc51dcc282bde5fea69eed92d73833a17d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e99a2295ed088bcb486bd3d3309328fc51dcc282bde5fea69eed92d73833a17d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-free-loop.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106949, "scanner": "repobility-supply-chain", "fingerprint": "d5735d95561aed13cbd3a644596275ae30d58ee01a1c67e702dbceb7723c9c49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d5735d95561aed13cbd3a644596275ae30d58ee01a1c67e702dbceb7723c9c49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-core.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106948, "scanner": "repobility-supply-chain", "fingerprint": "5b6861e954b4b1e3cc7680c321c7f58f8c65bc18a74277644bbfc9d73e08ec0c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b6861e954b4b1e3cc7680c321c7f58f8c65bc18a74277644bbfc9d73e08ec0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-core.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106947, "scanner": "repobility-supply-chain", "fingerprint": "b9a04bdc3a202c754984f0672520a715375dadd6a9a250b8b1e98e0576c0bc41", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b9a04bdc3a202c754984f0672520a715375dadd6a9a250b8b1e98e0576c0bc41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-b.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106946, "scanner": "repobility-supply-chain", "fingerprint": "a7a6689ed11ed13a68e4624857692b3b81490fd2b1fffb908fd8bbcf428d544d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a7a6689ed11ed13a68e4624857692b3b81490fd2b1fffb908fd8bbcf428d544d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-vm-loop-b.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106945, "scanner": "repobility-supply-chain", "fingerprint": "d5bc4c2aef968d1f4b66b8221feaff7bee0a719aa10c464bfebe242365fc04d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d5bc4c2aef968d1f4b66b8221feaff7bee0a719aa10c464bfebe242365fc04d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-fleet.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 106944, "scanner": "repobility-supply-chain", "fingerprint": "ed182e7dc4d555dff0ee3f8462da857fece89be4e6a375ade688d7cb09bdd008", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed182e7dc4d555dff0ee3f8462da857fece89be4e6a375ade688d7cb09bdd008"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dao-fleet.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `gitpod/workspace-node:latest` not pinned by digest"}, "properties": {"repobilityId": 106943, "scanner": "repobility-supply-chain", "fingerprint": "79f525232971c89cb0e5cbda78bfdb835300e69d69655ca5a745497d7cf42ac4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79f525232971c89cb0e5cbda78bfdb835300e69d69655ca5a745497d7cf42ac4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gitpod.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.wfile` used but never assigned in __init__"}, "properties": {"repobilityId": 106914, "scanner": "repobility-ast-engine", "fingerprint": "333a2dbf3b1ae205333a047ef06b4ec15e70d4acc59650dab9b01aea3fedea58", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|333a2dbf3b1ae205333a047ef06b4ec15e70d4acc59650dab9b01aea3fedea58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 535}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.end_headers` used but never assigned in __init__"}, "properties": {"repobilityId": 106913, "scanner": "repobility-ast-engine", "fingerprint": "01aa560e5936cf7d1308948188e11d9752d5ec23ad16743bd2f391b98208f998", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|01aa560e5936cf7d1308948188e11d9752d5ec23ad16743bd2f391b98208f998"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 538}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_response` used but never assigned in __init__"}, "properties": {"repobilityId": 106912, "scanner": "repobility-ast-engine", "fingerprint": "da7f018e5b35534e754d3c91133c990400234c74b7b8cd95a6a28c5bd053ddcd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|da7f018e5b35534e754d3c91133c990400234c74b7b8cd95a6a28c5bd053ddcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 537}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.end_headers` used but never assigned in __init__"}, "properties": {"repobilityId": 106911, "scanner": "repobility-ast-engine", "fingerprint": "0dc406a190b00bd17a5b78d529b4bb5f6069b3d8401c825d31ef6de507d74497", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0dc406a190b00bd17a5b78d529b4bb5f6069b3d8401c825d31ef6de507d74497"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 534}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_header` used but never assigned in __init__"}, "properties": {"repobilityId": 106910, "scanner": "repobility-ast-engine", "fingerprint": "8a3f6158f3678239208595819bff6a2714c15a42776aa846eff54704256f1834", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8a3f6158f3678239208595819bff6a2714c15a42776aa846eff54704256f1834"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 533}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_response` used but never assigned in __init__"}, "properties": {"repobilityId": 106909, "scanner": "repobility-ast-engine", "fingerprint": "a3bd4544feb2dd081f0e37568d79000cb67d9df34943b12d80c2ce067ecad016", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a3bd4544feb2dd081f0e37568d79000cb67d9df34943b12d80c2ce067ecad016"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 532}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.wfile` used but never assigned in __init__"}, "properties": {"repobilityId": 106908, "scanner": "repobility-ast-engine", "fingerprint": "450e7fb40e55a5d7817550e3943ab4c827c302c79ce2792299a64a19c77c6944", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|450e7fb40e55a5d7817550e3943ab4c827c302c79ce2792299a64a19c77c6944"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 530}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.path` used but never assigned in __init__"}, "properties": {"repobilityId": 106907, "scanner": "repobility-ast-engine", "fingerprint": "0e5fb3e366f05b36b305b80f7e9e0405e3628eaf2c32e4590489ca09b2d58049", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0e5fb3e366f05b36b305b80f7e9e0405e3628eaf2c32e4590489ca09b2d58049"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 531}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.end_headers` used but never assigned in __init__"}, "properties": {"repobilityId": 106906, "scanner": "repobility-ast-engine", "fingerprint": "aad8be028589596d215a28e1346f4c33e173d26e3f314b36e3c3e4c7bacf3b86", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aad8be028589596d215a28e1346f4c33e173d26e3f314b36e3c3e4c7bacf3b86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 506}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_header` used but never assigned in __init__"}, "properties": {"repobilityId": 106905, "scanner": "repobility-ast-engine", "fingerprint": "9e6580547c49233ab5b4857e1f9dbb61c03d8d5d47bba22f6e8a1e84ab48d147", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9e6580547c49233ab5b4857e1f9dbb61c03d8d5d47bba22f6e8a1e84ab48d147"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 505}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_header` used but never assigned in __init__"}, "properties": {"repobilityId": 106904, "scanner": "repobility-ast-engine", "fingerprint": "432330b17a053a2cafd11c21cc30972f55a218e836438ed109c24a1224147f9f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|432330b17a053a2cafd11c21cc30972f55a218e836438ed109c24a1224147f9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 504}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_response` used but never assigned in __init__"}, "properties": {"repobilityId": 106903, "scanner": "repobility-ast-engine", "fingerprint": "2f91400ed7ea183d2b6885287e93dde87b04b05a85d16d01cfea6de2b5d7ef69", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2f91400ed7ea183d2b6885287e93dde87b04b05a85d16d01cfea6de2b5d7ef69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 503}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.wfile` used but never assigned in __init__"}, "properties": {"repobilityId": 106902, "scanner": "repobility-ast-engine", "fingerprint": "dc83a9cdff05f6dc04a557f83ee4920cb541a005c956b63cc3730d4d8710b794", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dc83a9cdff05f6dc04a557f83ee4920cb541a005c956b63cc3730d4d8710b794"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 501}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.path` used but never assigned in __init__"}, "properties": {"repobilityId": 106901, "scanner": "repobility-ast-engine", "fingerprint": "8a8279a75e61bff2aecfa6afc439db544a78bb418afd701fa366772901dbd597", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8a8279a75e61bff2aecfa6afc439db544a78bb418afd701fa366772901dbd597"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 502}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.end_headers` used but never assigned in __init__"}, "properties": {"repobilityId": 106900, "scanner": "repobility-ast-engine", "fingerprint": "3a6868770b20873b2650e5ec294b4737579d320de06c5a2a9952a749752c369e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a6868770b20873b2650e5ec294b4737579d320de06c5a2a9952a749752c369e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 500}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_header` used but never assigned in __init__"}, "properties": {"repobilityId": 106899, "scanner": "repobility-ast-engine", "fingerprint": "f7db1e153da2f2f491934c490b8923f4ba37c92b2524bf994b1a148231435211", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f7db1e153da2f2f491934c490b8923f4ba37c92b2524bf994b1a148231435211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 499}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_response` used but never assigned in __init__"}, "properties": {"repobilityId": 106898, "scanner": "repobility-ast-engine", "fingerprint": "9552b35492958a7232da4e18b103db5e4c3d50591ebd7b0a978914f8df26bc2b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9552b35492958a7232da4e18b103db5e4c3d50591ebd7b0a978914f8df26bc2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 498}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.path` used but never assigned in __init__"}, "properties": {"repobilityId": 106897, "scanner": "repobility-ast-engine", "fingerprint": "d34176df960536243878081fd290ff28155fa2023f6b59e68d0f542cfa973ea2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d34176df960536243878081fd290ff28155fa2023f6b59e68d0f542cfa973ea2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/credit_toolkit.py"}, "region": {"startLine": 497}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 107128, "scanner": "gitleaks", "fingerprint": "0b4dcdc8a79596e0a7e4e60a621a1b55cd22483da39d6c9f30f22e8aab3586f9", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key=REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|packages/wam/extension.js|32|key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/wam/extension.js"}, "region": {"startLine": 323}}}]}, {"ruleId": "gcp-api-key", "level": "error", "message": {"text": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches."}, "properties": {"repobilityId": 107127, "scanner": "gitleaks", "fingerprint": "1ca0f6703cc94f2405d9f44db885c40635c053304540cceab9f9aba77de7007c", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "gcp-api-key", "scanner": "gitleaks", "detector": "gcp-api-key", "correlation_key": "secret|token|33|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "_archive/wam-v17.42.20/extension.js"}, "region": {"startLine": 340}}}]}, {"ruleId": "gcp-api-key", "level": "error", "message": {"text": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches."}, "properties": {"repobilityId": 107126, "scanner": "gitleaks", "fingerprint": "904125adcc8feec17608fac60ba3bf84ce9fe0b166c65953a17b7c1f3f86c81b", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED\"", "rule_id": "gcp-api-key", "scanner": "gitleaks", "detector": "gcp-api-key", "correlation_key": "secret|token|2|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["gcp-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["904125adcc8feec17608fac60ba3bf84ce9fe0b166c65953a17b7c1f3f86c81b", "c14f163c72847b1cc7d8b0e6438a9b1f11b4ef337cc86132762163402df0bdae"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dao-core/cloud_engine.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 107125, "scanner": "gitleaks", "fingerprint": "2d24a629086cb91cf9a13a64a9d364abb96775f1b960393d3cf3e0e969e18211", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "KEY_A = \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|tests/_auth_smoke.cjs|2|key_a redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/_auth_smoke.cjs"}, "region": {"startLine": 30}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 107124, "scanner": "gitleaks", "fingerprint": "f28fee2023e496701b967c8d4cba559ed9227cebf4cf74b07499fb65f47c7cf5", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl http://localhost:7862/v1/chat/completions \\\n  -H 'Content-Type: application/json' \\\n  -H 'Authorization: Bearer <redacted>'", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|packages/dao-core/readme.md|2|curl token -h content-type: application/json -h authorization: bearer redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dao-core/README.md"}, "region": {"startLine": 28}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 107123, "scanner": "gitleaks", "fingerprint": "eef0903c0bf4834f99a7393e0b41f440d1b40b3b597380dec6da4fac4e593bc2", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl http://localhost:7862/health\ncurl -H 'Authorization: Bearer <redacted>'", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|packages/dao-core/readme.md|2|curl token curl -h authorization: bearer redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dao-core/README.md"}, "region": {"startLine": 25}}}]}, {"ruleId": "gcp-api-key", "level": "error", "message": {"text": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches."}, "properties": {"repobilityId": 107122, "scanner": "gitleaks", "fingerprint": "0489228d37e3e3794a63cca5628ce787984f925d8a4a2bb14bb94d2573e796fe", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED'", "rule_id": "gcp-api-key", "scanner": "gitleaks", "detector": "gcp-api-key", "correlation_key": "secret|windsurf /010- _proxy/dao-agent/dao_agent.js|44|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["gcp-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["0489228d37e3e3794a63cca5628ce787984f925d8a4a2bb14bb94d2573e796fe", "f42ce2da72098e4068e69961aae4b83b83415a7efb40223af064ae66994ce43f"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/010-\u53cd\u4ee3_Proxy/dao-agent/dao_agent.js"}, "region": {"startLine": 446}}}]}, {"ruleId": "gcp-api-key", "level": "error", "message": {"text": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches."}, "properties": {"repobilityId": 107121, "scanner": "gitleaks", "fingerprint": "bcafbe321e47c42396c0f1b4162f6e37e4dadc035f49952992b13c9d6e2b8a58", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED'", "rule_id": "gcp-api-key", "scanner": "gitleaks", "detector": "gcp-api-key", "correlation_key": "secret|windsurf /060- _repair token|2|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["gcp-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["2024a2f248cdc00a44e470f0ce266d52f270d4fd4aee58dff37d4aa1fc0b3f61", "bcafbe321e47c42396c0f1b4162f6e37e4dadc035f49952992b13c9d6e2b8a58"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/windsurf-switch.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "gcp-api-key", "level": "error", "message": {"text": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches."}, "properties": {"repobilityId": 107120, "scanner": "gitleaks", "fingerprint": "8284e139b36f3c3f2678675750a8e820dfe93828fb2b7b0fce0f827d358a678f", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "gcp-api-key", "scanner": "gitleaks", "detector": "gcp-api-key", "correlation_key": "secret|windsurf /060- _repair token|5|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/fix_auth.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "gcp-api-key", "level": "error", "message": {"text": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches."}, "properties": {"repobilityId": 107119, "scanner": "gitleaks", "fingerprint": "9683ce2543023f176d85ef072148b722a184f8fcc5d4f37855d929928277cfdf", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 4 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED'", "rule_id": "gcp-api-key", "scanner": "gitleaks", "detector": "gcp-api-key", "correlation_key": "secret|windsurf /060- _repair token|1|redacted", "duplicate_count": 4, "duplicate_rule_ids": ["gcp-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["3df0c4ab55925d67c260d65361c49a1ffd9e99ad588faf9cbdd9d640f8fa5752", "58d51587a93066e6b521c7215cc7e17e84def8498562e139f2fd8f16ce3614d0", "6a878253aa084a3cb0481190fa9ad7901595fc52d699cc33d72fb860d68d3b5d", "966c7f0b6f9da51a7f0c3813db3cfd93fa0a15090801e37b0d8f171d9a101652", "9683ce2543023f176d85ef072148b722a184f8fcc5d4f37855d929928277cfdf"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/switch_account.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "gcp-api-key", "level": "error", "message": {"text": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches."}, "properties": {"repobilityId": 107118, "scanner": "gitleaks", "fingerprint": "1d1bf5f494e44ccc2787e637a8573dd30a2076c1c78efb66375d8b12a4cd270e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "gcp-api-key", "scanner": "gitleaks", "detector": "gcp-api-key", "correlation_key": "secret|windsurf /060- _repair/fb_test.js|1|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/fb_test.js"}, "region": {"startLine": 6}}}]}, {"ruleId": "gcp-api-key", "level": "error", "message": {"text": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches."}, "properties": {"repobilityId": 107117, "scanner": "gitleaks", "fingerprint": "39a704831f914948643a6c7162914bf38d5f9f670d06ee6ff6607d47a362d711", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "REDACTED\"", "rule_id": "gcp-api-key", "scanner": "gitleaks", "detector": "gcp-api-key", "correlation_key": "secret|windsurf /060- _repair/_179_total_diag.py|66|redacted", "duplicate_count": 1, "duplicate_rule_ids": ["gcp-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["16cf4b2e2513e69cd1b964f3ebb4a93904258647d3f366ae027cdcd964431c7a", "39a704831f914948643a6c7162914bf38d5f9f670d06ee6ff6607d47a362d711"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_179_total_diag.py"}, "region": {"startLine": 669}}}]}, {"ruleId": "gcp-api-key", "level": "error", "message": {"text": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches."}, "properties": {"repobilityId": 107116, "scanner": "gitleaks", "fingerprint": "6f30568875a5705279a5585508f7ba4ff3b43d9703198a405855df0168b3d4a6", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "gcp-api-key", "scanner": "gitleaks", "detector": "gcp-api-key", "correlation_key": "secret|windsurf /060- _repair/_node_diag.py|4|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_node_diag.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "gcp-api-key", "level": "error", "message": {"text": "Uncovered a GCP API key, which could lead to unauthorized access to Google Cloud services and data breaches."}, "properties": {"repobilityId": 107115, "scanner": "gitleaks", "fingerprint": "2f992a0e9cb79057df1f18f70891616cb67dcdde6977e82ae11654bef1a4e09f", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED\"", "rule_id": "gcp-api-key", "scanner": "gitleaks", "detector": "gcp-api-key", "correlation_key": "secret|windsurf /060- _repair/_diag_zroliu.py|7|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_diag_zroliu.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "curl-auth-user", "level": "error", "message": {"text": "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 107114, "scanner": "gitleaks", "fingerprint": "9c345af420ad0a8e7dd5ba0926d066ad5cafdd72665bf53c4c2bed5c6d7f08b2", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl \u4e00\u7b14 (\u4efb\u8bbe\u5907 \u00b7 Linux/macOS/Windows)\n\n```bash\ncurl -u REDACTED", "rule_id": "curl-auth-user", "scanner": "gitleaks", "detector": "curl-auth-user", "correlation_key": "secret|windsurf /005- _docs/ / 150_vm 16token_cascade_per-token _2026-05-18.md|16|curl linux/macos/windows bash curl -u redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/005-\u6587\u6863_docs/\u5370\u8bb0/\u5370150_VM\u6ce8\u516516token_cascade_per-token\u771f\u672c\u6e90_2026-05-18.md"}, "region": {"startLine": 166}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 107113, "scanner": "gitleaks", "fingerprint": "49ba9dd3cbc94d4f47b6dd477b4041d2cfa730eeb2bdec2b2c242a224214f20d", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "X-Dao-Auth\": \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|windsurf /005- _docs/ / 150_vm 16token_cascade_per-token _2026-05-18.md|18|x-dao-auth : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/005-\u6587\u6863_docs/\u5370\u8bb0/\u5370150_VM\u6ce8\u516516token_cascade_per-token\u771f\u672c\u6e90_2026-05-18.md"}, "region": {"startLine": 183}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 107112, "scanner": "gitleaks", "fingerprint": "44b38277dd6fe4acd811f77cfd2600e8586e5f6e9a50b96933ef536c72eaf446", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "api_key=\"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|windsurf /005- _docs/ / 150_vm 16token_cascade_per-token _2026-05-18.md|18|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/005-\u6587\u6863_docs/\u5370\u8bb0/\u5370150_VM\u6ce8\u516516token_cascade_per-token\u771f\u672c\u6e90_2026-05-18.md"}, "region": {"startLine": 182}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 107111, "scanner": "gitleaks", "fingerprint": "4877223a9ed840c8337d650bbb2ccc6a55416068ddf8c516625643619a7529bc", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "X-Dao-Auth: REDACTED'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|windsurf /005- _docs/ / 150_vm 16token_cascade_per-token _2026-05-18.md|16|x-dao-auth: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/005-\u6587\u6863_docs/\u5370\u8bb0/\u5370150_VM\u6ce8\u516516token_cascade_per-token\u771f\u672c\u6e90_2026-05-18.md"}, "region": {"startLine": 170}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 107110, "scanner": "gitleaks", "fingerprint": "b1464e2c5b69f3d54c46df0c0fb31513c4fd96421b409ed76f176beb29f7a668", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Auth:   REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|windsurf /005- _docs/ / 150_vm 16token_cascade_per-token _2026-05-18.md|16|auth: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/005-\u6587\u6863_docs/\u5370\u8bb0/\u5370150_VM\u6ce8\u516516token_cascade_per-token\u771f\u672c\u6e90_2026-05-18.md"}, "region": {"startLine": 161}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 107109, "scanner": "gitleaks", "fingerprint": "8f95fff5460d3d975c03c7e953130647309ecd8ac84d541cf7d15f804aa5debd", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -X POST https://conditions-beaches-analyzed-compromise.trycloudflare.com/v1/chat/completions \\\n    -H \"Authorization: Bearer <redacted>\"", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|windsurf /005- _docs/ / 155 _ _ _2026-05-19.md|13|curl -x post token -h authorization: bearer redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/005-\u6587\u6863_docs/\u5370\u8bb0/\u5370155\u7eed_\u5b9e\u6218\u6536\u675f_\u4e07\u6e90\u9f50\u5165_2026-05-19.md"}, "region": {"startLine": 131}}}]}, {"ruleId": "curl-auth-user", "level": "error", "message": {"text": "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 107108, "scanner": "gitleaks", "fingerprint": "1e0abd7d170c537fc546c3ea8582fc4e5585021a51847e49c342f4aa55d1f161", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl \u4e00\u7b14 (\u5370 146 \u5b9e\u8bc1)**:\n\n```bash\ncurl -u REDACTED", "rule_id": "curl-auth-user", "scanner": "gitleaks", "detector": "curl-auth-user", "correlation_key": "secret|windsurf /005- _docs/ / 148_ _ _2026-05-18.md|15|curl 146 : bash curl -u redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/005-\u6587\u6863_docs/\u5370\u8bb0/\u5370148_\u4e07\u6cd5\u5f52\u5b97_\u672c\u6e90\u5e95\u5c42_2026-05-18.md"}, "region": {"startLine": 153}}}]}, {"ruleId": "curl-auth-header", "level": "error", "message": {"text": "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 107107, "scanner": "gitleaks", "fingerprint": "856a167d16022cee474cbb6b9cd8f69d94c0b5d82d97c3bd8de7c11109c020fb", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl http://127.0.0.1:7861/v1/chat/completions \\\n  -H \"Authorization: Bearer <redacted>\"", "rule_id": "curl-auth-header", "scanner": "gitleaks", "detector": "curl-auth-header", "correlation_key": "secret|windsurf /005- _docs/ / 165_ _ _2026-05-19.md|12|curl token -h authorization: bearer redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/005-\u6587\u6863_docs/\u5370\u8bb0/\u5370165_\u4e07\u6cd5\u5f52\u5b97_\u5168\u94fe\u8def\u8d2f\u901a_2026-05-19.md"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 107098, "scanner": "repobility-threat-engine", "fingerprint": "3a7c9d393265688f38b87d194bd7c4b4e061a80b8bd5bf76afaaee1ca727e2ad", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (3.6 bits) \u2014 likely real secret", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "High entropy value (3.6 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|windsurf /060- _repair token|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/inject_login.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC049", "level": "error", "message": {"text": "[SEC049] GCP API key: Google Cloud API key (AIza prefix). Ported from gitleaks gcp-api-key (MIT)."}, "properties": {"repobilityId": 107088, "scanner": "repobility-threat-engine", "fingerprint": "80b8da9079eb9a4a94296b96e7b541131023b6f798f4e17da99429d31005a73e", "category": "secret", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "AIzaSyDsOl-1XpT5err0Tcnx8FFod1H8gVGIycY\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC049", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|windsurf /060- _repair token|1|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/full_deploy.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC049", "level": "error", "message": {"text": "[SEC049] GCP API key: Google Cloud API key (AIza prefix). Ported from gitleaks gcp-api-key (MIT)."}, "properties": {"repobilityId": 107087, "scanner": "repobility-threat-engine", "fingerprint": "1712e2ff7f3cf0f25953fabc3db455460c2d4d0e0e2b78b4fa392c53ae372037", "category": "secret", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "AIzaSyDsOl-1XpT5err0Tcnx8FFod1H8gVGIycY\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC049", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|windsurf /060- _repair token|5|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/fix_auth.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC049", "level": "error", "message": {"text": "[SEC049] GCP API key: Google Cloud API key (AIza prefix). Ported from gitleaks gcp-api-key (MIT)."}, "properties": {"repobilityId": 107086, "scanner": "repobility-threat-engine", "fingerprint": "861f1103961523099ab7d45324e91cd6d9b36a3dd27b27a35c29f4f0f9d2c5b5", "category": "secret", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "AIzaSyDsOl-1XpT5err0Tcnx8FFod1H8gVGIycY\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC049", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|windsurf /060- _repair/_diag_zroliu.py|7|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_diag_zroliu.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 107084, "scanner": "repobility-threat-engine", "fingerprint": "ff2f6aeb7d0d13801b548b9c9b03ceed629a94edd48b564eb7cee50a5d5824f4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(tracePath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ff2f6aeb7d0d13801b548b9c9b03ceed629a94edd48b564eb7cee50a5d5824f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_diag_cascade_tabs.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 107083, "scanner": "repobility-threat-engine", "fingerprint": "e4aa973b102a59641f409e0eaa53f7dc51c2240d8de7fbf0619e266159427165", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e4aa973b102a59641f409e0eaa53f7dc51c2240d8de7fbf0619e266159427165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_diag_auxiliary_state.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 107082, "scanner": "repobility-threat-engine", "fingerprint": "631620eeb10e1918f2189da1a5c4f0110fd49c77b54d724f2210ba021ce4e141", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|631620eeb10e1918f2189da1a5c4f0110fd49c77b54d724f2210ba021ce4e141"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/_diag_179_statedb.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `email` used but not imported"}, "properties": {"repobilityId": 106942, "scanner": "repobility-ast-engine", "fingerprint": "80809b6977f289b577dd22de2b23e8ed2ca077ddb1d49c51a70e07618435deb8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|80809b6977f289b577dd22de2b23e8ed2ca077ddb1d49c51a70e07618435deb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/fix_auth.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `email` used but not imported"}, "properties": {"repobilityId": 106941, "scanner": "repobility-ast-engine", "fingerprint": "3dd75a20a0f74d45adb935b502411fb3ed89b7cdb5e5b03488d5ee247062ecc1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3dd75a20a0f74d45adb935b502411fb3ed89b7cdb5e5b03488d5ee247062ecc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/switch_account.py"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `email` used but not imported"}, "properties": {"repobilityId": 106940, "scanner": "repobility-ast-engine", "fingerprint": "b855d63fcd674245478c4e647edf3f45a8f502a57a649c5d0e0a9ba9df542622", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b855d63fcd674245478c4e647edf3f45a8f502a57a649c5d0e0a9ba9df542622"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Windsurf\u4e07\u6cd5\u5f52\u5b97/060-\u4fee\u590d_Repair/agent-remote-repair-main/remote-agent/full_deploy.py"}, "region": {"startLine": 165}}}]}]}]}