{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 18.2% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 18.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT008", "name": "Ollama audio payload path may mislead users about direct model audio", "shortDescription": {"text": "Ollama audio payload path may mislead users about direct model audio"}, "fullDescription": {"text": "Gate direct audio sending on a verified runtime capability check. Until supported, show a one-time notice that voice is transcribed in the browser and only text is sent to the model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /pr"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `e2e` image uses the latest tag", "shortDescription": {"text": "Compose service `e2e` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 83 more): Same pattern found in 83 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 83 more): Same pattern found in 83 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `e2e` image is selected through a build variable", "shortDescription": {"text": "Compose service `e2e` image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "SEC018", "name": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents ", "shortDescription": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, she"}, "fullDescription": {"text": "Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC019", "name": "[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or servic", "shortDescription": {"text": "[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live tokens into source, comments, or README files."}, "fullDescription": {"text": "Replace the value with a placeholder, revoke or rotate the exposed token, and store live values only in a masked secret store."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC010", "name": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.", "shortDescription": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "fullDescription": {"text": "Remove immediately and rotate the token. Use environment variables."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/175"}, "properties": {"repository": "https://github.com/tinyhumansai/openhuman", "repoUrl": "https://github.com/tinyhumansai/openhuman", "branch": "main"}, "results": [{"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 23543, "scanner": "repobility-journey-contract", "fingerprint": "6bbd40c2dd9b10d6d8a6b63e600984601103da80513191a668056182b94cc5a7", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|66|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/coreModeSlice.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 18.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 23542, "scanner": "repobility-access-control", "fingerprint": "ae0e7b4007a228cab07ec453f8cb9c117341ab68ff3dea44fb2d51291624b5e0", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 44, "correlation_key": "fp|ae0e7b4007a228cab07ec453f8cb9c117341ab68ff3dea44fb2d51291624b5e0", "auth_visible_percent": 18.2}}}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 23541, "scanner": "repobility-agent-runtime", "fingerprint": "82079daab425d271e5b7ef19b31e7bc7f51b5453bb2544f6642cb2048b07d075", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|82079daab425d271e5b7ef19b31e7bc7f51b5453bb2544f6642cb2048b07d075"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/index.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 23540, "scanner": "repobility-agent-runtime", "fingerprint": "ab19fc473d1835bd58282b157728d8eaaa02ed26c1c93c6f98222ee3277763f7", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|ab19fc473d1835bd58282b157728d8eaaa02ed26c1c93c6f98222ee3277763f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/onboarding/components/BetaBanner.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AGT008", "level": "warning", "message": {"text": "Ollama audio payload path may mislead users about direct model audio"}, "properties": {"repobilityId": 23539, "scanner": "repobility-agent-runtime", "fingerprint": "4af5fc7dcee6e8c50c675a703ce8884105367438d2f98fab26bc364e3d58d017", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Ollama and an audios payload without an obvious capability check or browser-transcription disclosure.", "evidence": {"rule_id": "AGT008", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|4af5fc7dcee6e8c50c675a703ce8884105367438d2f98fab26bc364e3d58d017"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Conversations.tsx"}, "region": {"startLine": 753}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 23538, "scanner": "repobility-agent-runtime", "fingerprint": "2f472da371f255762bd4cbbf693afce286637502a550265a17a023715a32934f", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|2f472da371f255762bd4cbbf693afce286637502a550265a17a023715a32934f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/AgentChatPanel.tsx"}, "region": {"startLine": 48}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 23537, "scanner": "repobility-agent-runtime", "fingerprint": "beb83ae15305fc44d305dbfdf62991c122159aa81aa10b7808fdc5a3ceeec488", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|beb83ae15305fc44d305dbfdf62991c122159aa81aa10b7808fdc5a3ceeec488"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.zh-CN.md"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 23514, "scanner": "repobility-threat-engine", "fingerprint": "61c8c27cc0fa31008e61790a37b247bd55ecb3228bbb8682ab851dc590517271", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD=\"<redacted>\"", "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|scripts/load-env.sh|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/load-env.sh"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 23513, "scanner": "repobility-threat-engine", "fingerprint": "d06644e497d342c75d3327e7c134d910132728855da94e90255bf3fa2618d1c6", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (4.1 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD=\"<redacted> rand -base64 32)\"", "reason": "Low entropy value (4.1 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|7|password redacted rand -base64 32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/build-macos-signed.sh"}, "region": {"startLine": 76}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 23498, "scanner": "repobility-threat-engine", "fingerprint": "ef0d8080f95011c582e82c55b2d4cc4733c7b0a640858585a2b0bada8bf35368", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef0d8080f95011c582e82c55b2d4cc4733c7b0a640858585a2b0bada8bf35368"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_audio/captions_bridge.js"}, "region": {"startLine": 158}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 23497, "scanner": "repobility-threat-engine", "fingerprint": "ea83aae6d046e1361bb672c6c3f0b4988949e5068706b5a1715d94537b86db6b", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea83aae6d046e1361bb672c6c3f0b4988949e5068706b5a1715d94537b86db6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_audio/audio_bridge.js"}, "region": {"startLine": 209}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 23496, "scanner": "repobility-threat-engine", "fingerprint": "ba1572a996c8dcf8c02ee61748ea27fbf889a9ccccb19444f241f277e105ff88", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|501|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/e2e-run-session.sh"}, "region": {"startLine": 501}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 10458, "scanner": "repobility-journey-contract", "fingerprint": "487ba048791b1a931e603d9e9f677821530ed58df28ade3556545f7b49ff8c8b", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|219|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/configPersistence.ts"}, "region": {"startLine": 219}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 10457, "scanner": "repobility-journey-contract", "fingerprint": "77145cb9045d8e4650c519fe50be28a67dff003a60c2078339eeaed43736100b", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|202|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/configPersistence.ts"}, "region": {"startLine": 202}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /probe."}, "properties": {"repobilityId": 10456, "scanner": "repobility-access-control", "fingerprint": "1ede81dc63000d2c60700856e892a63ebb3b7f91107a9b0d5304c2d4caeb4cf2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/probe", "method": "ANY", "scanner": "repobility-access-control", "framework": "Actix", "correlation_key": "code|auth|src/api/rest_tests.rs|188|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/rest_tests.rs"}, "region": {"startLine": 188}}}]}, {"ruleId": "AGT008", "level": "warning", "message": {"text": "Ollama audio payload path may mislead users about direct model audio"}, "properties": {"repobilityId": 10452, "scanner": "repobility-agent-runtime", "fingerprint": "d0f6edb33e4edf36079cd5f1b1594bc92a679a693e7a820b3f14f5b75d1757fe", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File references Ollama and an audios payload without an obvious capability check or browser-transcription disclosure.", "evidence": {"rule_id": "AGT008", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d0f6edb33e4edf36079cd5f1b1594bc92a679a693e7a820b3f14f5b75d1757fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Conversations.tsx"}, "region": {"startLine": 637}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 4992, "scanner": "repobility-agent-runtime", "fingerprint": "ed6e349a6bdfc1c4ddac8e94498e55105bb82063aa97ec398c35b6094fe911f2", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ed6e349a6bdfc1c4ddac8e94498e55105bb82063aa97ec398c35b6094fe911f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/vite.config.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 4991, "scanner": "repobility-agent-runtime", "fingerprint": "29510b4863409535d0b7e0f10f369a57da0919b9ad263d7c05ce0960c8ed07a8", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|29510b4863409535d0b7e0f10f369a57da0919b9ad263d7c05ce0960c8ed07a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/index.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "AGT008", "level": "warning", "message": {"text": "Ollama audio payload path may mislead users about direct model audio"}, "properties": {"repobilityId": 4990, "scanner": "repobility-agent-runtime", "fingerprint": "f538455b9cdcee2a2849e4f64ee81bdacac7f5a99a3012c4c0a82b42804a1a8a", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File references Ollama and an audios payload without an obvious capability check or browser-transcription disclosure.", "evidence": {"rule_id": "AGT008", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f538455b9cdcee2a2849e4f64ee81bdacac7f5a99a3012c4c0a82b42804a1a8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Conversations.tsx"}, "region": {"startLine": 618}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 4894, "scanner": "repobility-journey-contract", "fingerprint": "b8a3fda9c6d1b1baaac23ecc2589d886432b58c9dfc2767f0228419bef783060", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ps", "correlation_key": "fp|b8a3fda9c6d1b1baaac23ecc2589d886432b58c9dfc2767f0228419bef783060", "backend_endpoint_count": 21}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/intelligence/IntelligenceSettingsTab.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 4893, "scanner": "repobility-journey-contract", "fingerprint": "938b0a5b759b66d22ab6b6070d2348a7c0e49e4a15c8102f79d67cd012345ec7", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|171|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/configPersistence.ts"}, "region": {"startLine": 171}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 4892, "scanner": "repobility-journey-contract", "fingerprint": "9b670f0c311aae73919e49a887f9a16b73150dbd913a2a09583a1652fe539eb0", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|154|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/configPersistence.ts"}, "region": {"startLine": 154}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 4891, "scanner": "repobility-journey-contract", "fingerprint": "c61bc8ca3da779205d1fd3a85ea09037c052776d48671dd6695da83afe0e7964", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|60|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/coreModeSlice.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /probe."}, "properties": {"repobilityId": 4890, "scanner": "repobility-access-control", "fingerprint": "0cb02af8ab627350b6f8120bb5e08298a3e9238bac7efa985b58b0e00b7b9206", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/probe", "method": "ANY", "scanner": "repobility-access-control", "framework": "Actix", "correlation_key": "code|auth|src/api/rest_tests.rs|187|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/api/rest_tests.rs"}, "region": {"startLine": 187}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 19.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 4889, "scanner": "repobility-access-control", "fingerprint": "b8aec905544bed83fdc3a42829107350ecf9e4a9966950416af2389bcfb07328", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 42, "correlation_key": "fp|b8aec905544bed83fdc3a42829107350ecf9e4a9966950416af2389bcfb07328", "auth_visible_percent": 19.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 4888, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Actix", "Axum"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `e2e` image uses the latest tag"}, "properties": {"repobilityId": 4887, "scanner": "repobility-docker", "fingerprint": "f8629e196d6fc0c6b1142aad9b7d73b2e8c868ac172043f0b771e1b249cde2ab", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/tinyhumansai/openhuman_ci:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f8629e196d6fc0c6b1142aad9b7d73b2e8c868ac172043f0b771e1b249cde2ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 4885, "scanner": "repobility-docker", "fingerprint": "e934807ed7f25492c22e61e7dab3ac09998d87533437466d526f5399801e0cdc", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:22.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e934807ed7f25492c22e61e7dab3ac09998d87533437466d526f5399801e0cdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 4879, "scanner": "repobility-docker", "fingerprint": "4f231211c7d99915271b0839f519a39b956013e34c7ce04792275f68dcf3bebb", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:22.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4f231211c7d99915271b0839f519a39b956013e34c7ce04792275f68dcf3bebb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 4876, "scanner": "repobility-threat-engine", "fingerprint": "76f6efcd1c7652dd306d7edc263faf37cad7d1957d4b038f749bc09af87d21ad", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "exec(input", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|34|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/conversations/utils/workerThreadRef.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 4867, "scanner": "repobility-threat-engine", "fingerprint": "1550948315f6f851255f5d664c662bfff217dc5c6462f69abda5bee8ab2e17bc", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1550948315f6f851255f5d664c662bfff217dc5c6462f69abda5bee8ab2e17bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_video/camera_bridge.js"}, "region": {"startLine": 138}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 4866, "scanner": "repobility-threat-engine", "fingerprint": "9d81123cbeb98a1eb62f29ce49a9ac4ea6d193a0e3a1706494c950d5e488ba9a", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(function () {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d81123cbeb98a1eb62f29ce49a9ac4ea6d193a0e3a1706494c950d5e488ba9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/webview_accounts/runtime.js"}, "region": {"startLine": 159}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 4865, "scanner": "repobility-threat-engine", "fingerprint": "61c34d6c620b75eaebc1ce3a4f51611cd02e167de0c49c1cbfe21e450b1b3b77", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|61c34d6c620b75eaebc1ce3a4f51611cd02e167de0c49c1cbfe21e450b1b3b77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/recipes/google-meet/recipe.js"}, "region": {"startLine": 47}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 4864, "scanner": "repobility-agent-runtime", "fingerprint": "d21ceb7d7846af2b8d5ffe71ecc4816991ee83ae8503bc4fb6280867fd38c850", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d21ceb7d7846af2b8d5ffe71ecc4816991ee83ae8503bc4fb6280867fd38c850"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/vite.config.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 4863, "scanner": "repobility-agent-runtime", "fingerprint": "0efe38aa8f780a750e6c9210e333ea4705df2fd666dd890325d3cfe7defd168c", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|0efe38aa8f780a750e6c9210e333ea4705df2fd666dd890325d3cfe7defd168c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/userScopedStorage.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 4862, "scanner": "repobility-agent-runtime", "fingerprint": "afc5373829e00e60655ee2562ad90908645070c599f03610bcc46fc5192b071a", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|afc5373829e00e60655ee2562ad90908645070c599f03610bcc46fc5192b071a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/store/index.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 4861, "scanner": "repobility-agent-runtime", "fingerprint": "85077487b977acb768a2239a954aa7f0906d801fbc9f633935eea39e0b6c3d9d", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|85077487b977acb768a2239a954aa7f0906d801fbc9f633935eea39e0b6c3d9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/onboarding/components/BetaBanner.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "AGT008", "level": "warning", "message": {"text": "Ollama audio payload path may mislead users about direct model audio"}, "properties": {"repobilityId": 4860, "scanner": "repobility-agent-runtime", "fingerprint": "4661a79ab0013a07f9af1733c02dca70ec8f7030d2acaf4a2f427974066d0f63", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File references Ollama and an audios payload without an obvious capability check or browser-transcription disclosure.", "evidence": {"rule_id": "AGT008", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|4661a79ab0013a07f9af1733c02dca70ec8f7030d2acaf4a2f427974066d0f63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Conversations.tsx"}, "region": {"startLine": 603}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 4859, "scanner": "repobility-agent-runtime", "fingerprint": "4b59d9c309d7898774d889516bb9629dbf408c609c23d7e3b9976e796be7a409", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|4b59d9c309d7898774d889516bb9629dbf408c609c23d7e3b9976e796be7a409"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/overlay/OverlayApp.tsx"}, "region": {"startLine": 412}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 4858, "scanner": "repobility-agent-runtime", "fingerprint": "45bedb785873b064349b6bb7a3079182469c837778c9bd95fafc1abef00d5aad", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|45bedb785873b064349b6bb7a3079182469c837778c9bd95fafc1abef00d5aad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/AgentChatPanel.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 4845, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3fc1edb80dfb220f4ade01d077fce6d73615380c27622cde42f32df43ecec54c", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "clean", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "src/openhuman/memory/tree/canonicalize/email.rs", "correlation_key": "fp|3fc1edb80dfb220f4ade01d077fce6d73615380c27622cde42f32df43ecec54c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/memory/tree/canonicalize/email_clean.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 4844, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b3a7eecd2d43871e24ea00e7a56d9b175798254ce8027df32526c095053de9f5", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "alt", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "remotion/src/Mascot/mascot-yellow-wave.tsx", "correlation_key": "fp|b3a7eecd2d43871e24ea00e7a56d9b175798254ce8027df32526c095053de9f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "remotion/src/Mascot/mascot-yellow-wave-alt.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23536, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b76b5938e15a4abd65eb80d006511fa57809291d8b7ca2c9d461ee840e3ba8b8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/SettingsHome.tsx", "duplicate_line": 302, "correlation_key": "fp|b76b5938e15a4abd65eb80d006511fa57809291d8b7ca2c9d461ee840e3ba8b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/TeamMembersPanel.tsx"}, "region": {"startLine": 112}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23535, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ddad29a118442ea7ea964dae519ca6254358d2202a3db8ac746d093f9292891", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/panels/TeamInvitesPanel.tsx", "duplicate_line": 142, "correlation_key": "fp|9ddad29a118442ea7ea964dae519ca6254358d2202a3db8ac746d093f9292891"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/TeamMembersPanel.tsx"}, "region": {"startLine": 110}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23534, "scanner": "repobility-ai-code-hygiene", "fingerprint": "103ca2cfe1d4081512d0e04127af9300f510456f9cad43adfa4d400757a0f509", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/SettingsHome.tsx", "duplicate_line": 301, "correlation_key": "fp|103ca2cfe1d4081512d0e04127af9300f510456f9cad43adfa4d400757a0f509"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/TeamInvitesPanel.tsx"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23533, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6271141c75065e988e00627a5991195ea7e690cd468e163676d85bf989b3d1e6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/panels/RecoveryPhrasePanel.tsx", "duplicate_line": 388, "correlation_key": "fp|6271141c75065e988e00627a5991195ea7e690cd468e163676d85bf989b3d1e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/TeamInvitesPanel.tsx"}, "region": {"startLine": 107}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23532, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7e1c607f200df6076a8c325b6dc9ff99ecdd4597012d04bc193b5bc7034bc9fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/SettingsHome.tsx", "duplicate_line": 301, "correlation_key": "fp|7e1c607f200df6076a8c325b6dc9ff99ecdd4597012d04bc193b5bc7034bc9fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/RecoveryPhrasePanel.tsx"}, "region": {"startLine": 389}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23531, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0d2c214da014fa1e6a3c48a46a445122fb740b27b4538ef0083deebe675cad31", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/panels/ConnectionsPanel.tsx", "duplicate_line": 198, "correlation_key": "fp|0d2c214da014fa1e6a3c48a46a445122fb740b27b4538ef0083deebe675cad31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/PrivacyPanel.tsx"}, "region": {"startLine": 211}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23530, "scanner": "repobility-ai-code-hygiene", "fingerprint": "864a971c154d83fa66fa1639851f90cedcdad0b730d222ce04d0be39731de7c7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/settings/panels/AutocompleteDebugPanel.tsx", "duplicate_line": 13, "correlation_key": "fp|864a971c154d83fa66fa1639851f90cedcdad0b730d222ce04d0be39731de7c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/AutocompletePanel.tsx"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23529, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f658d2d94c5f76c729e5feeaab761e847e1427e8431bed9d8c6b6bcc91221cd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/intelligence/MemorySources.tsx", "duplicate_line": 328, "correlation_key": "fp|3f658d2d94c5f76c729e5feeaab761e847e1427e8431bed9d8c6b6bcc91221cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/intelligence/MemoryWorkspace.tsx"}, "region": {"startLine": 380}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23528, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3d751646748cec6bafbba842cc8145f557b348d1764c2f051e3d240606fc74a1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/intelligence/MemorySources.tsx", "duplicate_line": 38, "correlation_key": "fp|3d751646748cec6bafbba842cc8145f557b348d1764c2f051e3d240606fc74a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/intelligence/MemorySyncConnections.tsx"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23527, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac7f303657d96b8d09d3da94266f1ab9ae5f770da1b26e1ac1db0abcb2ace56c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/intelligence/ActionableCard.tsx", "duplicate_line": 262, "correlation_key": "fp|ac7f303657d96b8d09d3da94266f1ab9ae5f770da1b26e1ac1db0abcb2ace56c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/intelligence/IntelligenceSubconsciousTab.tsx"}, "region": {"startLine": 344}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23526, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5598b68f8e7682977ed5084876c59a084452b7cda0ebcb3a743fb1f62c72a111", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/channels/DiscordConfig.tsx", "duplicate_line": 4, "correlation_key": "fp|5598b68f8e7682977ed5084876c59a084452b7cda0ebcb3a743fb1f62c72a111"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/channels/TelegramConfig.tsx"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23525, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aa8eace53f596edf0e93bdc4531b5a917423057e3d68d4fcefcfa54935b3b97e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/slack_scanner/idb.rs", "duplicate_line": 158, "correlation_key": "fp|aa8eace53f596edf0e93bdc4531b5a917423057e3d68d4fcefcfa54935b3b97e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/whatsapp_scanner/idb.rs"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23524, "scanner": "repobility-ai-code-hygiene", "fingerprint": "11803e90f4f3e72733d510dd47bf4d50fdd5093c24c8e39acf835041251c318f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/gmessages_scanner/cdp_walk.rs", "duplicate_line": 68, "correlation_key": "fp|11803e90f4f3e72733d510dd47bf4d50fdd5093c24c8e39acf835041251c318f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/whatsapp_scanner/idb.rs"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23523, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72e267f1013ebc6b2e972ca95aaea0bdb4de2d8bbbdea8209ffed8d1e6d3ef48", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/conn.rs", "duplicate_line": 9, "correlation_key": "fp|72e267f1013ebc6b2e972ca95aaea0bdb4de2d8bbbdea8209ffed8d1e6d3ef48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/mod.rs"}, "region": {"startLine": 418}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23522, "scanner": "repobility-ai-code-hygiene", "fingerprint": "076022a516d0d75bbd5948ce694be4a5ed1448458d38bf0f565e8d118bcc0c44", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/target.rs", "duplicate_line": 39, "correlation_key": "fp|076022a516d0d75bbd5948ce694be4a5ed1448458d38bf0f565e8d118bcc0c44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/mod.rs"}, "region": {"startLine": 381}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23521, "scanner": "repobility-ai-code-hygiene", "fingerprint": "16d00d3653b23682592f7fd3f18f13b2ea45936b4804293a9dd7c0c81baec9ee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/discord_scanner/mod.rs", "duplicate_line": 15, "correlation_key": "fp|16d00d3653b23682592f7fd3f18f13b2ea45936b4804293a9dd7c0c81baec9ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/mod.rs"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23520, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d4bb3c83895b808aedbb85df6785885502b5f6e33fc87b669140a3a8c0e7fc72", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/slack_scanner/mod.rs", "duplicate_line": 1, "correlation_key": "fp|d4bb3c83895b808aedbb85df6785885502b5f6e33fc87b669140a3a8c0e7fc72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/mod.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 23519, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b12a95be21208160116695a7114fc58965d1471bf0790e3bc8d0bdbc2701620", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/gmessages_scanner/cdp_walk.rs", "duplicate_line": 68, "correlation_key": "fp|0b12a95be21208160116695a7114fc58965d1471bf0790e3bc8d0bdbc2701620"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/idb.rs"}, "region": {"startLine": 147}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 4886, "scanner": "repobility-docker", "fingerprint": "6f82f915669a3638c3fe710128387245754ace6c0cefb8f31b1875c230b1ae57", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "openhuman-core", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6f82f915669a3638c3fe710128387245754ace6c0cefb8f31b1875c230b1ae57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 4884, "scanner": "repobility-docker", "fingerprint": "43c255baecb533f81fa04d72ef6a3a965b71248510674972964189545c0e4abd", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|43c255baecb533f81fa04d72ef6a3a965b71248510674972964189545c0e4abd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 4881, "scanner": "repobility-docker", "fingerprint": "e26b372d9d731d47aae7631256ea92261dbf4e179d697ec7b995fd178aab99f9", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e26b372d9d731d47aae7631256ea92261dbf4e179d697ec7b995fd178aab99f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 4880, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4857, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83c2d9392fafdbf96fce0f2bcda0c50ec17e078c2fc4fb4f9ae354bda21678eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/slack_scanner/idb.rs", "duplicate_line": 11, "correlation_key": "fp|83c2d9392fafdbf96fce0f2bcda0c50ec17e078c2fc4fb4f9ae354bda21678eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/idb.rs"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4856, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ce9aa4bbf38ddc3235017167886d00dcfc0e6ff15c86cd303b5f7747bd433b13", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/discord_scanner/dom_snapshot.rs", "duplicate_line": 26, "correlation_key": "fp|ce9aa4bbf38ddc3235017167886d00dcfc0e6ff15c86cd303b5f7747bd433b13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/telegram_scanner/dom_snapshot.rs"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4855, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee1be7c425fdd37eb067e6ce94a5321bce51d98b2dcbdb185540ce920846cb27", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/conn.rs", "duplicate_line": 9, "correlation_key": "fp|ee1be7c425fdd37eb067e6ce94a5321bce51d98b2dcbdb185540ce920846cb27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/mod.rs"}, "region": {"startLine": 505}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4854, "scanner": "repobility-ai-code-hygiene", "fingerprint": "972b994f6fbeb05629567270683524937625e54f993c86442abbdc1f9afe3ae4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/target.rs", "duplicate_line": 39, "correlation_key": "fp|972b994f6fbeb05629567270683524937625e54f993c86442abbdc1f9afe3ae4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/mod.rs"}, "region": {"startLine": 468}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4853, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7497c0c80ad591084a1cc067f4c28a97f0f9e015de1238986a7ee810b342345d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/discord_scanner/mod.rs", "duplicate_line": 15, "correlation_key": "fp|7497c0c80ad591084a1cc067f4c28a97f0f9e015de1238986a7ee810b342345d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/mod.rs"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4852, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99d1fe5f42f514a25af85729ee1c6957c6086d11cee0281abc0068c3a41abda6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/gmessages_scanner/cdp_walk.rs", "duplicate_line": 68, "correlation_key": "fp|99d1fe5f42f514a25af85729ee1c6957c6086d11cee0281abc0068c3a41abda6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/idb.rs"}, "region": {"startLine": 144}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4851, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d78f733177a6658d84a15d9f7a9a389be921106b046cb5581907ac06c92e007b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/discord_scanner/dom_snapshot.rs", "duplicate_line": 1, "correlation_key": "fp|d78f733177a6658d84a15d9f7a9a389be921106b046cb5581907ac06c92e007b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/slack_scanner/dom_snapshot.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4850, "scanner": "repobility-ai-code-hygiene", "fingerprint": "05883ea93ab315e5a849c7df62ca3a9563ec82c9752ed560560ea10a10695766", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/meet_audio/inject.rs", "duplicate_line": 82, "correlation_key": "fp|05883ea93ab315e5a849c7df62ca3a9563ec82c9752ed560560ea10a10695766"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_video/inject.rs"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4849, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d396e0ff3bda229f9b970511c11f729f78cc55ed6abfeb1672e06df84d9e2261", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/meet_audio/inject.rs", "duplicate_line": 56, "correlation_key": "fp|d396e0ff3bda229f9b970511c11f729f78cc55ed6abfeb1672e06df84d9e2261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/meet_scanner/mod.rs"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4848, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ef3b893b196419e58d402a6a39c59ce67d7974e7647b7f53c322d3c92e37d829", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/gmessages_scanner/mod.rs", "duplicate_line": 30, "correlation_key": "fp|ef3b893b196419e58d402a6a39c59ce67d7974e7647b7f53c322d3c92e37d829"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/imessage_scanner/mod.rs"}, "region": {"startLine": 321}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4847, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b4a842fe4cf070d28776150cb14e52ef962fec95d55405cdce520722f27020a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/conn.rs", "duplicate_line": 9, "correlation_key": "fp|6b4a842fe4cf070d28776150cb14e52ef962fec95d55405cdce520722f27020a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/discord_scanner/mod.rs"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4846, "scanner": "repobility-ai-code-hygiene", "fingerprint": "edf17c8355b4f0ed468680b5153516941ec9dbcabd63432c5e07c1ad584ca896", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src-tauri/src/cdp/target.rs", "duplicate_line": 39, "correlation_key": "fp|edf17c8355b4f0ed468680b5153516941ec9dbcabd63432c5e07c1ad584ca896"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/discord_scanner/mod.rs"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 23510, "scanner": "repobility-threat-engine", "fingerprint": "98e6262e3b075184faf052c60b50f67bcbe7a59c78a00cb653069b8af654317c", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|98e6262e3b075184faf052c60b50f67bcbe7a59c78a00cb653069b8af654317c"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 23509, "scanner": "repobility-threat-engine", "fingerprint": "07cd62a859cf857e49eb46ee2db187cc7232f866aa416e68801172dce853811e", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.warn('[onboarding:api-keys] save failed', err)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|3|console.warn onboarding:api-keys save failed err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/onboarding/steps/ApiKeysStep.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 23508, "scanner": "repobility-threat-engine", "fingerprint": "9a383c383ff62abfbab7de3f53ff8367aff01aa9591d2f43d8996a3499518966", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('[onboarding:api-keys-page] completeAndExit failed', err)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|1|console.error onboarding:api-keys-page completeandexit failed err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/onboarding/pages/ApiKeysPage.tsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 23507, "scanner": "repobility-threat-engine", "fingerprint": "7a22f802c71cc1723f025b5db799c2b6849484890a55434351fcd72bcded651f", "category": "injection", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "React dangerouslySetInnerHTML \u2014 deliberate pattern with built-in XSS warnings", "evidence": {"match": ".innerHTML = i", "reason": "React dangerouslySetInnerHTML \u2014 deliberate pattern with built-in XSS warnings", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|injection|token|87|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/features/human/Mascot/backend/BackendMascot.tsx"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 23506, "scanner": "repobility-threat-engine", "fingerprint": "9375baefc0ced02fd3d7e2992e6c7895a26c4bebc8685b2aa8bfeb0351b3d42e", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9375baefc0ced02fd3d7e2992e6c7895a26c4bebc8685b2aa8bfeb0351b3d42e"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 23505, "scanner": "repobility-threat-engine", "fingerprint": "935b3c282c85ca9dce2cc352dac787ae372306ea9e60fa978f519fc4a2e0e7ce", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|app/src/pages/skills.tsx|313|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Skills.tsx"}, "region": {"startLine": 313}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 23504, "scanner": "repobility-threat-engine", "fingerprint": "76339f900bcf76ece7868c0a11d8716114bb38b08741c74a339959ec65d9df4b", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|80|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Intelligence.tsx"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 23503, "scanner": "repobility-threat-engine", "fingerprint": "ac1fe3f24912e2a49591ac408050e603f4323987fd6c1e980724b35d6f8a8678", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|app/src/pages/accounts.tsx|41|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Accounts.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 83 more): Same pattern found in 83 additional files. Review if needed."}, "properties": {"repobilityId": 23502, "scanner": "repobility-threat-engine", "fingerprint": "7acd6142cceafc57bc4efa86f82b5557e3f41f0b68ab5be92035bedc68faf726", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 83 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 83 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7acd6142cceafc57bc4efa86f82b5557e3f41f0b68ab5be92035bedc68faf726"}}}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `e2e` image is selected through a build variable"}, "properties": {"repobilityId": 10454, "scanner": "repobility-docker", "fingerprint": "1d0e9c807aadc532a749d3ab156b7556d660de117d08d6cf8f04529fa0e39e5c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${OPENHUMAN_CI_IMAGE:-ghcr.io/tinyhumansai/openhuman_ci:latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1d0e9c807aadc532a749d3ab156b7556d660de117d08d6cf8f04529fa0e39e5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 10453, "scanner": "repobility-threat-engine", "fingerprint": "6f7bccfb806b6f994ced3a577ada1d1f176909c9c0fe6b3f4c3d8ae04e9a2f28", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.debug('[configPersistence] Stored core token (cloud mode)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|21|console.debug configpersistence stored core token cloud mode"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/configPersistence.ts"}, "region": {"startLine": 220}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 4993, "scanner": "repobility-threat-engine", "fingerprint": "a930699a5b77c7407e13c615ed42d0956012af7420debcfeff8989b329e88e24", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|77|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Intelligence.tsx"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 4875, "scanner": "repobility-threat-engine", "fingerprint": "015624d54588e78b188bc9104a95afc6319bd4ac8d54e067e19d0b8385b57e46", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.debug('[memory] syncMemoryClientToken: <redacted> \u2014 skipped (not Tauri)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|8|console.debug memory syncmemoryclienttoken: redacted skipped not tauri"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/tauriCommands/memory.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 4874, "scanner": "repobility-threat-engine", "fingerprint": "5b4980565e80304d74e1e652a6bbcd9ae87940ce6c059f11a5aec38420d4193c", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.debug('[configPersistence] Stored core token (cloud mode)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|17|console.debug configpersistence stored core token cloud mode"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/configPersistence.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 4873, "scanner": "repobility-threat-engine", "fingerprint": "71437094899e087d012e34c909d026c76b82ca0c89436d075cb270e3992cb3b9", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.warn('[DeepLink] URL did not contain a token query parameter')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|10|console.warn deeplink url did not contain a token query parameter"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/utils/desktopDeepLinkListener.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 4872, "scanner": "repobility-threat-engine", "fingerprint": "ed3769a4ea3a3aeb3b1fd74c33a316d9452004c8aff6770390b3265ad0543e09", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ed3769a4ea3a3aeb3b1fd74c33a316d9452004c8aff6770390b3265ad0543e09"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 4871, "scanner": "repobility-threat-engine", "fingerprint": "de669097696fe4eadd8ddba65e9515052f454dc213d502311bb7501c0ada5c40", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|78|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Intelligence.tsx"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 4870, "scanner": "repobility-threat-engine", "fingerprint": "133cd7a0aa39891f85c6121ae9c725fbbcaa93dbcefaae9aa9a04461c1d4460f", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|app/src/pages/accounts.tsx|40|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Accounts.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 4869, "scanner": "repobility-threat-engine", "fingerprint": "48f304abcfea4752a3392db7e385376dd3f225994e7c32b8873be7c61648e337", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|app/src/pages/skills.tsx|303|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pages/Skills.tsx"}, "region": {"startLine": 303}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 4868, "scanner": "repobility-threat-engine", "fingerprint": "5c81d47da75c572182ad0e4e4629636dbf842fd65f2c830612248897d6fb397f", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5c81d47da75c572182ad0e4e4629636dbf842fd65f2c830612248897d6fb397f"}}}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 23545, "scanner": "repobility-journey-contract", "fingerprint": "f7d96aa6b43aa79c03f14cfc908fd91ac6b32950f17b8318bc8af7bac1e44a98", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|291|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/ComposioPanel.tsx"}, "region": {"startLine": 291}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 23544, "scanner": "repobility-journey-contract", "fingerprint": "59c4aae5edaf702022c23093e24869e6a629c0a0fdb18140eb434f2bb696992d", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|1285|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/AIPanel.tsx"}, "region": {"startLine": 1285}}}]}, {"ruleId": "SEC018", "level": "error", "message": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation."}, "properties": {"repobilityId": 23512, "scanner": "repobility-threat-engine", "fingerprint": "6d173e086266afd3eb778ba9ec4336022313ada8bcd5996716656cea7ac8b97b", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "gh auth token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC018", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|scripts/act-staging.sh|12|gh auth token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/act-staging.sh"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC018", "level": "error", "message": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation."}, "properties": {"repobilityId": 23511, "scanner": "repobility-threat-engine", "fingerprint": "33ef39654f20473eb235cee21b2aed00b1540b102e69e7617e8085551654f6fd", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "gh auth token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC018", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|7|gh auth token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/act-build-desktop.sh"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23501, "scanner": "repobility-threat-engine", "fingerprint": "f9333f3ff9a6857d43a1342eb55f0fb201473d52099098ee3a63f1dde60cd281", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f9333f3ff9a6857d43a1342eb55f0fb201473d52099098ee3a63f1dde60cd281"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/webview_accounts/runtime.js"}, "region": {"startLine": 440}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23500, "scanner": "repobility-threat-engine", "fingerprint": "052fcdf25a6c602e3c148f82bfbc02142e241d91f2a9827d9f85f473a28e47ea", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|052fcdf25a6c602e3c148f82bfbc02142e241d91f2a9827d9f85f473a28e47ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/webview_accounts/mod.rs"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 23499, "scanner": "repobility-threat-engine", "fingerprint": "957d6b529ef4e8ea95387abca224edcd858c1829d53a1d4f15413f1496283fb0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|957d6b529ef4e8ea95387abca224edcd858c1829d53a1d4f15413f1496283fb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src-tauri/src/cdp/session.rs"}, "region": {"startLine": 90}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 10459, "scanner": "repobility-journey-contract", "fingerprint": "adb2e33a5d089541e1ce0166e3d355f9dd76d33fbbcafd7abd2ed476194d2067", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|741|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 0}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/composio/ComposioConnectModal.tsx"}, "region": {"startLine": 741}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 4995, "scanner": "repobility-journey-contract", "fingerprint": "1232694db8c2b2fc5cecfba646d9c6ae31fbf053f3eac027f687dded4384d329", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|465|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/BackendProviderPanel.tsx"}, "region": {"startLine": 465}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 4994, "scanner": "repobility-journey-contract", "fingerprint": "47b063b78c9a78d360378ac42736eb6afeb9cf92693b821682b6b83ae82cad74", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|519|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 0}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/composio/ComposioConnectModal.tsx"}, "region": {"startLine": 519}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 4897, "scanner": "repobility-journey-contract", "fingerprint": "c8a11cac30000837a5b03fb1b0740ed91b560694e4f1539198b6e532120c730a", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|82|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/local-model/CustomModelSection.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 4896, "scanner": "repobility-journey-contract", "fingerprint": "0ccb9533b2f773b4295186c60882d2dc6825a806e933e46ad38c78a919e54606", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|431|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/settings/panels/BackendProviderPanel.tsx"}, "region": {"startLine": 431}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 4895, "scanner": "repobility-journey-contract", "fingerprint": "45ccbc16932b123b5486725a3aecc00200f93387987bc886fb22e9de84775b86", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|482|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/composio/ComposioConnectModal.tsx"}, "region": {"startLine": 482}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 4883, "scanner": "repobility-docker", "fingerprint": "b942048308d9a1df4ccd79cb9bba15a44e57079daee70c2d67ff135c171c0e51", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b942048308d9a1df4ccd79cb9bba15a44e57079daee70c2d67ff135c171c0e51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 4882, "scanner": "repobility-docker", "fingerprint": "1711f825ac45df78e3a4d6f0de2a7c6f0153a0312b9d855bf07616f139b56f4d", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1711f825ac45df78e3a4d6f0de2a7c6f0153a0312b9d855bf07616f139b56f4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 4878, "scanner": "repobility-docker", "fingerprint": "61773614b6c44909c6ba1fbcbe9381ccf2968b4c062a24692a4515456f2f87af", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|61773614b6c44909c6ba1fbcbe9381ccf2968b4c062a24692a4515456f2f87af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/Dockerfile"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 4877, "scanner": "repobility-docker", "fingerprint": "b38a7d84de644662090102786f9677b2b25ff23cbe9537cca643e3d6d93de5cb", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b38a7d84de644662090102786f9677b2b25ff23cbe9537cca643e3d6d93de5cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/Dockerfile"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC019", "level": "error", "message": {"text": "[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live tokens into source, comments, or README files."}, "properties": {"repobilityId": 23518, "scanner": "repobility-threat-engine", "fingerprint": "3330eedba6e2d21e124b3576d171670b765335978153f162e7a049c4ebf02c7f", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Authorization: Bearer <redacted>", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC019", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|13|authorization: bearer redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/memory/tree/jobs/redact.rs"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC019", "level": "error", "message": {"text": "[SEC019] Raw Authorization Token in Example: A real-looking API token appears in an Authorization-style header or service-key example. Use placeholders in docs and CI snippets; never paste live tokens into source, comments, or README files."}, "properties": {"repobilityId": 23517, "scanner": "repobility-threat-engine", "fingerprint": "5c4b5ab64ac88bd3ee040742c032617065bd4782cbb957808392b9e1bc6a887f", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Authorization: Bearer <redacted>", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC019", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|35|authorization: bearer redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/memory/safety/mod.rs"}, "region": {"startLine": 351}}}]}, {"ruleId": "SEC010", "level": "error", "message": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "properties": {"repobilityId": 23516, "scanner": "repobility-threat-engine", "fingerprint": "77ab4178fb1cf9116e203670175d9172423df880e0d3a6b03bde6e00cf289425", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "xoxb-1234567890-abcdEFG", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC010", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|16|xoxb-1234567890-abcdefg"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/memory/tree/jobs/redact.rs"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC010", "level": "error", "message": {"text": "[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code."}, "properties": {"repobilityId": 23515, "scanner": "repobility-threat-engine", "fingerprint": "2a6a19f8a277a12d5f401a37b72bf9f0de6441e3eba88a2f21335544635c8979", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "glpat-aaaaaaaaaaaaaaaaaaaa", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC010", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|40|glpat- hex"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/openhuman/memory/safety/mod.rs"}, "region": {"startLine": 410}}}]}]}]}