{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "QUAL003", "name": "Magic number used as default arg", "shortDescription": {"text": "Magic number used as default arg"}, "fullDescription": {"text": "Using hardcoded default values for complex configuration objects makes the code brittle and difficult to manage. Consider using a dedicated factory or builder pattern.\n\nAuto-promoted from proposal 444 on 2026-05-12. Synth confidence: 0.85. FP estimate: 0.00."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "LOG001", "name": "PII printed to stdout/stderr", "shortDescription": {"text": "PII printed to stdout/stderr"}, "fullDescription": {"text": "Logging password/token/email/ssn directly to stdout."}, "properties": {"scanner": "repobility", "category": "logging", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "SUPC002", "name": "Supply chain \u2014 npm install without lockfile", "shortDescription": {"text": "Supply chain \u2014 npm install without lockfile"}, "fullDescription": {"text": "Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"scanner": "repobility", "category": "supply_chain", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "CRYP001", "name": "Crypto \u2014 plaintext HTTP for sensitive endpoint", "shortDescription": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "fullDescription": {"text": "Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"scanner": "repobility", "category": "crypto", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "XSS001", "name": "Cross-site scripting \u2014 dangerouslySetInnerHTML", "shortDescription": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "fullDescription": {"text": "dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"scanner": "repobility", "category": "injection", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "QUAL004", "name": "Placeholder default username (admin/admin)", "shortDescription": {"text": "Placeholder default username (admin/admin)"}, "fullDescription": {"text": "foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "low", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Repositories with several agent instruction, progress, or completion marker files are often generated scaffolds. They are not automatically wrong, but they deserve a reachability and ownership review before users treat the code as production-ready."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC018", "name": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents ", "shortDescription": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, she"}, "fullDescription": {"text": "Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/263"}, "properties": {"repository": "affaan-m/everything-claude-code", "repoUrl": "https://github.com/affaan-m/everything-claude-code", "branch": "main"}, "results": [{"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21875, "scanner": "repobility", "fingerprint": "3f0c96b26ac5b57655271630649c33ca", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "default 50", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/lib/session-manager.test.js"}, "region": {"startLine": 1817}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21874, "scanner": "repobility", "fingerprint": "ac641ac80987f16ff03440e126eda353", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "default 50", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/hooks/hooks.test.js"}, "region": {"startLine": 4655}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21873, "scanner": "repobility", "fingerprint": "12966f48622a1b6f7723b776814b8008", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "default 10", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/hooks/hooks.test.js"}, "region": {"startLine": 2606}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21872, "scanner": "repobility", "fingerprint": "6fba593d4145d09945a9a61dc64b7bea", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "default 10", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/hooks/hooks.test.js"}, "region": {"startLine": 2547}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21871, "scanner": "repobility", "fingerprint": "08dbb6665e84ac07893ecdaa5dc3c0f6", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "default 10", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/hooks/hooks.test.js"}, "region": {"startLine": 2522}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21870, "scanner": "repobility", "fingerprint": "a6ad05cba710a981c9ba3d3de385d8cd", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "default 10", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/hooks/hooks.test.js"}, "region": {"startLine": 2519}}}]}, {"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21869, "scanner": "repobility", "fingerprint": "6c3227545048299250cd70af93637cb5", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "default 60", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/scripts/skill-create-output.test.js"}, "region": {"startLine": 410}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 16949, "scanner": "repobility", "fingerprint": "5939e290559c293b154c8b4db05927af", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "console.log('\\nRound 123: replaceInFile ($& and $$ substitution token", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/lib/utils.test.js"}, "region": {"startLine": 2268}}}]}, {"ruleId": "LOG001", "level": "warning", "message": {"text": "PII printed to stdout/stderr"}, "properties": {"repobilityId": 16948, "scanner": "repobility", "fingerprint": "77bc68e949f0a89f5f541db60333f908", "category": "logging", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "console.log(`Estimated tokens: ${m.token", "aljefra_cwe": ["CWE-532"], "aljefra_owasp": "A09:2021", "aljefra_pattern_slug": "print-pii"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/claw.js"}, "region": {"startLine": 425}}}]}, {"ruleId": "SUPC002", "level": "warning", "message": {"text": "Supply chain \u2014 npm install without lockfile"}, "properties": {"repobilityId": 15647, "scanner": "repobility", "fingerprint": "c5e3db53394ea18b178cdb11dfb2b94b", "category": "supply_chain", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "  pip install", "aljefra_cwe": ["CWE-1357"], "aljefra_owasp": "A06:2021", "aljefra_pattern_slug": "npm-install-no-lockfile"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/hooks/insaits-security-monitor.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13859, "scanner": "repobility", "fingerprint": "7264652f5e6d589d9fa0c06dff411be2", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/continuous-learning-v2/scripts/instinct-cli.py"}, "region": {"startLine": 439}}}]}, {"ruleId": "XSS001", "level": "warning", "message": {"text": "Cross-site scripting \u2014 dangerouslySetInnerHTML"}, "properties": {"repobilityId": 13424, "scanner": "repobility", "fingerprint": "fa19fe4367da0bca8f77d2239a23a6e9", "category": "injection", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "dangerouslySetInnerHTML", "aljefra_cwe": ["CWE-79"], "aljefra_owasp": "A03:2021", "aljefra_pattern_slug": "react-dangerously-set-html"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/sync-ecc-to-codex.sh"}, "region": {"startLine": 274}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 8236, "scanner": "repobility-threat-engine", "fingerprint": "ede792666cc97a00818daf155ec7d6cdfe14b5e59d8390c24470ecddc2a3c222", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ede792666cc97a00818daf155ec7d6cdfe14b5e59d8390c24470ecddc2a3c222"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/continuous-learning-v2/scripts/instinct-cli.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 8235, "scanner": "repobility-threat-engine", "fingerprint": "b11d9273bdd5082620f1949abc3ddc3a582dd97b84e7fe1ed58a12404f2390fd", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n                        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b11d9273bdd5082620f1949abc3ddc3a582dd97b84e7fe1ed58a12404f2390fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ecc_dashboard.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8234, "scanner": "repobility-ai-code-hygiene", "fingerprint": "308725070062f493313aa620430d7c9a5eabe2279cd9a11f3c1c62ab0708fe69", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/catalog.js", "duplicate_line": 77, "correlation_key": "fp|308725070062f493313aa620430d7c9a5eabe2279cd9a11f3c1c62ab0708fe69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/install-plan.js"}, "region": {"startLine": 103}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8233, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6bb34d6a60288a4be50433c0bfdb38b31373d47c62b24f2e0604ac8bf7883b31", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/hooks/session-activity-tracker.js", "duplicate_line": 517, "correlation_key": "fp|6bb34d6a60288a4be50433c0bfdb38b31373d47c62b24f2e0604ac8bf7883b31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/hooks/session-end-marker.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8232, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cdf22ef67b0a37d1d9044d3197730c08dd2fb85c1b37e4f51cb14d08ceae6fb2", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/hooks/mcp-health-check.js", "duplicate_line": 78, "correlation_key": "fp|cdf22ef67b0a37d1d9044d3197730c08dd2fb85c1b37e4f51cb14d08ceae6fb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/hooks/run-with-flags.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8231, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b7da866c2c0454a77aa5562d3702319c4e295afa0b9d285344134ba0c8e806d0", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/hooks/governance-capture.js", "duplicate_line": 210, "correlation_key": "fp|b7da866c2c0454a77aa5562d3702319c4e295afa0b9d285344134ba0c8e806d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/hooks/run-with-flags.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8230, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91c1932f20fb185975beb1f24838129f106d8e24cc643bbf33882e6e60ccc85c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/hooks/post-bash-build-complete.js", "duplicate_line": 12, "correlation_key": "fp|91c1932f20fb185975beb1f24838129f106d8e24cc643bbf33882e6e60ccc85c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/hooks/pre-bash-tmux-reminder.js"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8229, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4bd45cdedd9ef1cd06a224e920b86e692d20d80d011a34d13151a9b661f16af5", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/hooks/pre-bash-git-push-reminder.js", "duplicate_line": 14, "correlation_key": "fp|4bd45cdedd9ef1cd06a224e920b86e692d20d80d011a34d13151a9b661f16af5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/hooks/pre-bash-tmux-reminder.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8228, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06152f4dc08dfb51a28bea5669b0931e24b1079179d04695df4eec7511fbd7ee", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/hooks/post-bash-build-complete.js", "duplicate_line": 12, "correlation_key": "fp|06152f4dc08dfb51a28bea5669b0931e24b1079179d04695df4eec7511fbd7ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/hooks/pre-bash-git-push-reminder.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8227, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d539f63de460e29166ad1589b99bf6c3a8cd2970cc531650c04c33be0d700dc", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/hooks/ecc-metrics-bridge.js", "duplicate_line": 130, "correlation_key": "fp|2d539f63de460e29166ad1589b99bf6c3a8cd2970cc531650c04c33be0d700dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/hooks/post-edit-accumulator.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8226, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fada5d63b9b953a299109d2972e993f5a87797829bc4be7969c3d2144efe8d76", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/hooks/post-bash-build-complete.js", "duplicate_line": 14, "correlation_key": "fp|fada5d63b9b953a299109d2972e993f5a87797829bc4be7969c3d2144efe8d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/hooks/post-bash-pr-created.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8225, "scanner": "repobility-ai-code-hygiene", "fingerprint": "37e47363a17518b732fa9cc18dde2250f2e89e5455cb0734e00186d8701feab2", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/hooks/observe-runner.js", "duplicate_line": 18, "correlation_key": "fp|37e47363a17518b732fa9cc18dde2250f2e89e5455cb0734e00186d8701feab2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/hooks/plugin-hook-bootstrap.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8224, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5f078f0046cb5d45586953c993484bfad0908ae5744118641d3e3255e214a732", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/hooks/governance-capture.js", "duplicate_line": 208, "correlation_key": "fp|5f078f0046cb5d45586953c993484bfad0908ae5744118641d3e3255e214a732"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/hooks/mcp-health-check.js"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8223, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2988f6330b7a77e10036dadd6f59f91e752279ceecc72c130c679ff6b0ebba22", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".codebuddy/install.js", "duplicate_line": 94, "correlation_key": "fp|2988f6330b7a77e10036dadd6f59f91e752279ceecc72c130c679ff6b0ebba22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".codebuddy/uninstall.js"}, "region": {"startLine": 71}}}]}, {"ruleId": "QUAL004", "level": "note", "message": {"text": "Placeholder default username (admin/admin)"}, "properties": {"repobilityId": 22057, "scanner": "repobility", "fingerprint": "6d08efa32c0a563e2ef65096bc561c7f", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "test@test.", "aljefra_cwe": ["CWE-1392", "CWE-798"], "aljefra_owasp": null, "aljefra_pattern_slug": "placeholder-default-username"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/hooks/detect-project-worktree.test.js"}, "region": {"startLine": 160}}}]}, {"ruleId": "QUAL004", "level": "note", "message": {"text": "Placeholder default username (admin/admin)"}, "properties": {"repobilityId": 22056, "scanner": "repobility", "fingerprint": "9343b116c7f251642ae801e5004fa069", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "test@test.", "aljefra_cwe": ["CWE-1392", "CWE-798"], "aljefra_owasp": null, "aljefra_pattern_slug": "placeholder-default-username"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/hooks/detect-project-worktree.test.js"}, "region": {"startLine": 158}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 8222, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d56a4f7d0ce84454a039e71d628f804cda981b2584caa8fd99fb45866716471", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|8d56a4f7d0ce84454a039e71d628f804cda981b2584caa8fd99fb45866716471"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/auto-update.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 8221, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32459e18838866b083b985fd53ac32d4e825aa20af779d902253d8278f625dfb", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": [".github/copilot-instructions.md", "AGENTS.md", "CLAUDE.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|32459e18838866b083b985fd53ac32d4e825aa20af779d902253d8278f625dfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/copilot-instructions.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 8241, "scanner": "repobility-threat-engine", "fingerprint": "2848741efcf49971a66f01c8f0159413b53b0a5d99716b985fc36987ac6d67e3", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|scripts/loop-status.js|643|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/loop-status.js"}, "region": {"startLine": 643}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 8240, "scanner": "repobility-threat-engine", "fingerprint": "d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8239, "scanner": "repobility-threat-engine", "fingerprint": "0fa83ab8218d381bdcdc72f26ca59163da7ddf802b1ce5233a886583d7770c1a", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.log(`  Environment var: ${process.env.CLAUDE_PACKAGE_MANAGER || 'not set'}`)", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|7|console.log environment var: token not set"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/setup-package-manager.js"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8238, "scanner": "repobility-threat-engine", "fingerprint": "c94b5faa03553085d5b8d9c063bb11d305153c2a868d3b1795f1e79939e60f4b", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('[ECC] WARNING: Potential secret detected in prompt!')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|. token|1|console.error ecc warning: potential secret detected in prompt"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".cursor/hooks/before-submit-prompt.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC018", "level": "error", "message": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation."}, "properties": {"repobilityId": 8242, "scanner": "repobility-threat-engine", "fingerprint": "fb317cce3c95f527789dd784de1cdb34e86f3e8cbc810d15e021de5477057986", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "gh auth token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC018", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|6|gh auth token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/codex/merge-mcp-config.js"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8237, "scanner": "repobility-threat-engine", "fingerprint": "38180df9e594e83c1dafac6db6fe141c0fcaf1448b7c1a1cedefe5d187d2a913", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(`Estimated tokens: ${m.tokenEstimate}`)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|scripts/claw.js|42|console.log estimated tokens: m.tokenestimate"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/claw.js"}, "region": {"startLine": 430}}}]}]}]}