{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /au"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 18.2% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 18.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `cloudflared` image uses the latest tag", "shortDescription": {"text": "Compose service `cloudflared` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `minio` image has no explicit tag", "shortDescription": {"text": "Compose service `minio` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC034", "name": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines o", "shortDescription": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (S"}, "fullDescription": {"text": "Strip control characters before logging:\n  safe = user_input.replace('\\n','').replace('\\r','').replace('\\x00','')\n  logger.info('User action: %s', safe)\nAlways use parameterized logging (`%s` + args), never f-strings or string concat \u2014 that's also what mitigates log4shell-style attacks. For structured logging, use a JSON formatter that escapes values."}, "properties": {"scanner": "repobility-threat-engine", "category": "log_injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a loopback host port", "shortDescription": {"text": "Database service publishes a loopback host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.58, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 50 more): Same pattern found in 50 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 50 more): Same pattern found in 50 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 19 more): Same pattern found in 19 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /results/:id/route."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "Use a server-side one-time authorization code tied to a registered callback allowlist. Do not append access tokens to callback URLs or fragments."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "DKR005", "name": "Docker image bakes a secret-like ENV value", "shortDescription": {"text": "Docker image bakes a secret-like ENV value"}, "fullDescription": {"text": "Remove the secret from the Dockerfile, rotate the value if real, and inject runtime secrets through your platform secret manager."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/484"}, "properties": {"repository": "dograh-hq/dograh", "repoUrl": "https://github.com/dograh-hq/dograh.git", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 28226, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28223, "scanner": "repobility-journey-contract", "fingerprint": "070c4bf8f5b37866f3d22ea01bc0f41e1e27f367d75f79e9c33068f588a0c08f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/node-types/{param}", "correlation_key": "fp|070c4bf8f5b37866f3d22ea01bc0f41e1e27f367d75f79e9c33068f588a0c08f", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/src/_generated_models.ts"}, "region": {"startLine": 244}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28222, "scanner": "repobility-journey-contract", "fingerprint": "756e56089d4f83ff59755dec352594bc379966b357288b183b0cb66ac5006eb1", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/node-types", "correlation_key": "fp|756e56089d4f83ff59755dec352594bc379966b357288b183b0cb66ac5006eb1", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/src/_generated_models.ts"}, "region": {"startLine": 221}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28221, "scanner": "repobility-journey-contract", "fingerprint": "67ed36076e7af366c3093fce16cbfbe1ec6a97e7e72f85ef97f1ed0e45e9622c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/workflow-recordings", "correlation_key": "fp|67ed36076e7af366c3093fce16cbfbe1ec6a97e7e72f85ef97f1ed0e45e9622c", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/src/_generated_models.ts"}, "region": {"startLine": 201}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28220, "scanner": "repobility-journey-contract", "fingerprint": "5efcc934fee424bb6ce6e615e9d245d51031dd56a6ad744efccdf00c7df5b5c5", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/knowledge-base/documents", "correlation_key": "fp|5efcc934fee424bb6ce6e615e9d245d51031dd56a6ad744efccdf00c7df5b5c5", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/src/_generated_models.ts"}, "region": {"startLine": 178}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28219, "scanner": "repobility-journey-contract", "fingerprint": "ced881cf62f2ea4b23f71914207a229e4a743fe66a9fe6d07188cf7393d09271", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/tools", "correlation_key": "fp|ced881cf62f2ea4b23f71914207a229e4a743fe66a9fe6d07188cf7393d09271", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/src/_generated_models.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28218, "scanner": "repobility-journey-contract", "fingerprint": "2e03130a2de5bca9fe1ad4c6881f340832f5b5250623fc50be171885c4a5a934", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/credentials", "correlation_key": "fp|2e03130a2de5bca9fe1ad4c6881f340832f5b5250623fc50be171885c4a5a934", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/src/_generated_models.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28217, "scanner": "repobility-journey-contract", "fingerprint": "33d9f3c69f6c9d202e3748321f1286628dca2df19576cacb56828f68d7307193", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/workflow/{param}", "correlation_key": "fp|33d9f3c69f6c9d202e3748321f1286628dca2df19576cacb56828f68d7307193", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/src/_generated_models.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28216, "scanner": "repobility-journey-contract", "fingerprint": "bf74837c146412490afbf43c0a8e95aaf40e9a71dfa05588b4792618839a5219", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/workflow/fetch/{param}", "correlation_key": "fp|bf74837c146412490afbf43c0a8e95aaf40e9a71dfa05588b4792618839a5219", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/src/_generated_models.ts"}, "region": {"startLine": 75}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28215, "scanner": "repobility-journey-contract", "fingerprint": "f1b49fb32b65a17bd366968a60d7ceb7fc316c7fa04812d55b8685972df78790", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/workflow/fetch", "correlation_key": "fp|f1b49fb32b65a17bd366968a60d7ceb7fc316c7fa04812d55b8685972df78790", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/src/_generated_models.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28214, "scanner": "repobility-journey-contract", "fingerprint": "9032617c27c5ff6fbb42df0981325c3d2ae03285fbebab18458bcb37b55f4fb7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/workflow/create/definition", "correlation_key": "fp|9032617c27c5ff6fbb42df0981325c3d2ae03285fbebab18458bcb37b55f4fb7", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/src/_generated_models.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28213, "scanner": "repobility-journey-contract", "fingerprint": "635d242c00624f52e953b05920d1f4969aaeea4b7639c1093630c8c66274ffd8", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/telephony/initiate-call", "correlation_key": "fp|635d242c00624f52e953b05920d1f4969aaeea4b7639c1093630c8c66274ffd8", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/src/_generated_models.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28212, "scanner": "repobility-journey-contract", "fingerprint": "65266a987a6aa83e78fd6ade4a8bef93bb140beee2dbd6d3601ca3ca73a4e600", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/audio/{param}", "correlation_key": "fp|65266a987a6aa83e78fd6ade4a8bef93bb140beee2dbd6d3601ca3ca73a4e600", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/visualizer/src/app/view/[id]/page.tsx"}, "region": {"startLine": 88}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28211, "scanner": "repobility-journey-contract", "fingerprint": "0de493bfef6b44c5e5e91bf2a270d7de7e96df24d08b7cd0e7771544c5baf7a7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/results/{param}", "correlation_key": "fp|0de493bfef6b44c5e5e91bf2a270d7de7e96df24d08b7cd0e7771544c5baf7a7", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/visualizer/src/app/view/[id]/page.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28210, "scanner": "repobility-journey-contract", "fingerprint": "66ca7d92a69a51a9268c43774612b6633b0eb833fd0a6e80fbc921e559ef48a8", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/results", "correlation_key": "fp|66ca7d92a69a51a9268c43774612b6633b0eb833fd0a6e80fbc921e559ef48a8", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/visualizer/src/app/page.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28209, "scanner": "repobility-journey-contract", "fingerprint": "518d99fe9827495dfbcf72e8d47e4bee1beb7c238b6a988fa477597e50f27947", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/node-types", "correlation_key": "fp|518d99fe9827495dfbcf72e8d47e4bee1beb7c238b6a988fa477597e50f27947", "backend_endpoint_count": 11}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/mcp_server/ts_validator/src/types.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /audio/:filename/route."}, "properties": {"repobilityId": 28207, "scanner": "repobility-access-control", "fingerprint": "d111cf66b45e724671e8f790c55d27f4b6336490e0ef9442a3d1bd067ca0cde4", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/audio/:filename/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / filename /route.ts|15|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/visualizer/src/app/api/audio/[filename]/route.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /results/:id/route."}, "properties": {"repobilityId": 28206, "scanner": "repobility-access-control", "fingerprint": "952ae32a4a31aa4ad33f9cd26cb0c413262e5d380b161c5ae202f33689d2b9c2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/results/:id/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / id /route.ts|7|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/visualizer/src/app/api/results/[id]/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /results/route."}, "properties": {"repobilityId": 28205, "scanner": "repobility-access-control", "fingerprint": "54cf8edd2e0e964ebc2662421eb9e4b8c4ffa04663f3f9dec4483f377919dde2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/results/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|8|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/visualizer/src/app/api/results/route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /auth/oss/route."}, "properties": {"repobilityId": 28204, "scanner": "repobility-access-control", "fingerprint": "1ff5787839c883c7b23328bb65a2a9e15eb4a12423c3cdc0afae0bca97a8cc2a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth/oss/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|14|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/api/auth/oss/route.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /auth/session/route."}, "properties": {"repobilityId": 28203, "scanner": "repobility-access-control", "fingerprint": "2aae9de145fcba99706e4c66b8e0d805ff9018e1c557243e90d46d122ed4864f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth/session/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|7|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/api/auth/session/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /config/auth/route."}, "properties": {"repobilityId": 28202, "scanner": "repobility-access-control", "fingerprint": "f56299ab9baecd754f960b80b2e1766e4060bfe099b7e9b7caf4e0fcbf3106c5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/config/auth/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|6|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/api/config/auth/route.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /config/sentry/route."}, "properties": {"repobilityId": 28201, "scanner": "repobility-access-control", "fingerprint": "8a914d1f2f045e6f0551521f27a2fe020718ac6c79dc39acf862cd64aed3adaf", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/config/sentry/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|3|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/api/config/sentry/route.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /config/version/route."}, "properties": {"repobilityId": 28200, "scanner": "repobility-access-control", "fingerprint": "814bffd05d28cbc77beaaa453daf3012bfa69da8dbae12320fa9faaa635ece96", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/config/version/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|9|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/api/config/version/route.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /impersonate."}, "properties": {"repobilityId": 28199, "scanner": "repobility-access-control", "fingerprint": "3e06f74ce71813b49d935e8dc2e4fb05d9de690118a4d06887948adf4f4e077b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/impersonate", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|11|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/impersonate/route.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 18.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 28197, "scanner": "repobility-access-control", "fingerprint": "ae0e7b4007a228cab07ec453f8cb9c117341ab68ff3dea44fb2d51291624b5e0", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 11, "correlation_key": "fp|ae0e7b4007a228cab07ec453f8cb9c117341ab68ff3dea44fb2d51291624b5e0", "auth_visible_percent": 18.2}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 28196, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `cloudflared` image uses the latest tag"}, "properties": {"repobilityId": 28193, "scanner": "repobility-docker", "fingerprint": "6577cc471644b7ce576f896939c3497ef8fa7fd48fd85c59e2d4026a19293b47", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "cloudflare/cloudflared:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6577cc471644b7ce576f896939c3497ef8fa7fd48fd85c59e2d4026a19293b47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 236}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `minio` image has no explicit tag"}, "properties": {"repobilityId": 28180, "scanner": "repobility-docker", "fingerprint": "9a462dafc2b8c086a662ec7a83e646cbded168aaaa3c256dc0d149f952769637", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "minio/minio", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9a462dafc2b8c086a662ec7a83e646cbded168aaaa3c256dc0d149f952769637"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 28174, "scanner": "repobility-docker", "fingerprint": "437d13243711b6aedcbb23ad2d1c8c5abd9372fbac9e73d8d4646ade95364b1b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|437d13243711b6aedcbb23ad2d1c8c5abd9372fbac9e73d8d4646ade95364b1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/Dockerfile"}, "region": {"startLine": 59}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 28171, "scanner": "repobility-agent-runtime", "fingerprint": "102221f7ac536b6b38313b6e6be2b92fd53f3559fdcd709c47d5e08fdfe1b87e", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|102221f7ac536b6b38313b6e6be2b92fd53f3559fdcd709c47d5e08fdfe1b87e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 30}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 28140, "scanner": "repobility-threat-engine", "fingerprint": "7bafa577eae99f30ce7485bda7993b1b2a290a23cf01de68ceab348e4031b403", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7bafa577eae99f30ce7485bda7993b1b2a290a23cf01de68ceab348e4031b403"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/layout/GitHubStarBadge.tsx"}, "region": {"startLine": 29}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 28139, "scanner": "repobility-threat-engine", "fingerprint": "9298b95fa91e27f693a0613dd7051803aa89cd967251b7d7cee24ab38fae8243", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9298b95fa91e27f693a0613dd7051803aa89cd967251b7d7cee24ab38fae8243"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/layout.tsx"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 28137, "scanner": "repobility-threat-engine", "fingerprint": "8d6da74bfd7301d0a34efce105e4786af7ea29200426f9e3c1b807114aee862c", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "CERT_NONE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|api/tasks/arq.py|28|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/tasks/arq.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 28133, "scanner": "repobility-threat-engine", "fingerprint": "17c03044b6388ea3d563b601958d3a0520f64b7d942b52de28c974451895293f", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "random.choice(api_key", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|63|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/workflow/qa/llm_config.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 28131, "scanner": "repobility-threat-engine", "fingerprint": "be3d8db06d8caab7aaff14032687c5c6b77229b6556959941df287434c3ffb1c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                    pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|be3d8db06d8caab7aaff14032687c5c6b77229b6556959941df287434c3ffb1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/filesystem/local.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 28130, "scanner": "repobility-threat-engine", "fingerprint": "4b9ba63bb3a5e5f8029f78c23f4f181eaa83c571c2753843873b9ea25f9a4e4e", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4b9ba63bb3a5e5f8029f78c23f4f181eaa83c571c2753843873b9ea25f9a4e4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/routes/organization.py"}, "region": {"startLine": 900}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 28129, "scanner": "repobility-threat-engine", "fingerprint": "572e0eb9001938cc7f64091efb387def50f11aeb234ee7b12e1e16fd262875d8", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|572e0eb9001938cc7f64091efb387def50f11aeb234ee7b12e1e16fd262875d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/routes/campaign.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 28123, "scanner": "repobility-threat-engine", "fingerprint": "cac76519e46f8d9fa2df98e1ce4fb454e8356afe4cbcc00c8b54c620a07b5f17", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.info(\n            f\"Generated presigned upload URL for user {user.id}, org {user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cac76519e46f8d9fa2df98e1ce4fb454e8356afe4cbcc00c8b54c620a07b5f17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/routes/s3_signed_url.py"}, "region": {"startLine": 317}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 28122, "scanner": "repobility-threat-engine", "fingerprint": "08755448d17db1442858f820f78da8510ccda9367d5d1a9d7245ef27d4958529", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.info(\n            f\"Created document {req", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|08755448d17db1442858f820f78da8510ccda9367d5d1a9d7245ef27d4958529"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/routes/knowledge_base.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "SEC034", "level": "warning", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\\n` to forge fake log entries, hide tracks, or exploit downstream log parsers (SIEM, splunk). Combined with template injection this can escalate to RCE (CVE-2021-44228 log4shell). CWE-117."}, "properties": {"repobilityId": 28121, "scanner": "repobility-threat-engine", "fingerprint": "9491638a47e3dd40cd084ca92262e450bdfe39b2217f74939b1b7cbfba3cc271", "category": "log_injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "logger.warning(\n                    f\"Failed to validate user configuration for user {user", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9491638a47e3dd40cd084ca92262e450bdfe39b2217f74939b1b7cbfba3cc271"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/db/user_client.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 28227, "scanner": "repobility-web-presence", "fingerprint": "dda1269c6231daaf0fedfdc27f9abb47526e760929cd9ad4262e66e7a636af78", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|dda1269c6231daaf0fedfdc27f9abb47526e760929cd9ad4262e66e7a636af78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/telephony/providers/twilio/provider.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 28195, "scanner": "repobility-docker", "fingerprint": "faadf8ad4caf4eef21ad109566ef830e64f6c254868ab0f9a08915996f7520ba", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "cloudflared", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|faadf8ad4caf4eef21ad109566ef830e64f6c254868ab0f9a08915996f7520ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 236}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 28194, "scanner": "repobility-docker", "fingerprint": "0c65478280be1480b0d46fcf1fdd39f1bedc5c61ce6435444001008317500760", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "cloudflared", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0c65478280be1480b0d46fcf1fdd39f1bedc5c61ce6435444001008317500760"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 236}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 28192, "scanner": "repobility-docker", "fingerprint": "bc4871f3ef1b47a30e1912e412c69931c06655ad1c7acf299baa5a8c3e50d9b5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bc4871f3ef1b47a30e1912e412c69931c06655ad1c7acf299baa5a8c3e50d9b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 206}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 28191, "scanner": "repobility-docker", "fingerprint": "646a04ef3e277b7a3d942d104f8fbbe46d94903ae8c7bca7b9758cf6e0a00b43", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|646a04ef3e277b7a3d942d104f8fbbe46d94903ae8c7bca7b9758cf6e0a00b43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 206}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 28189, "scanner": "repobility-docker", "fingerprint": "5338deb1ecc4c80b22a3e220332b146b817988a4478796e9a76781a1c3749cc9", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5338deb1ecc4c80b22a3e220332b146b817988a4478796e9a76781a1c3749cc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 124}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 28187, "scanner": "repobility-docker", "fingerprint": "8e09f512248c147010e1accca596c4736b7ee03add3b69433c700d762f41677e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8e09f512248c147010e1accca596c4736b7ee03add3b69433c700d762f41677e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 124}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 28185, "scanner": "repobility-docker", "fingerprint": "8cec813a4a065cb1132778240dd516b585b85dba835e44fa8baee116735cba45", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "coturn", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8cec813a4a065cb1132778240dd516b585b85dba835e44fa8baee116735cba45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 102}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 28184, "scanner": "repobility-docker", "fingerprint": "80aa1c9ebd7fed15e4585205ca59652f145db8aed56daa6149333e37271b49a4", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "coturn", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|80aa1c9ebd7fed15e4585205ca59652f145db8aed56daa6149333e37271b49a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 102}}}]}, {"ruleId": "DKC011", "level": "note", "message": {"text": "Database service publishes a loopback host port"}, "properties": {"repobilityId": 28182, "scanner": "repobility-docker", "fingerprint": "d86b65db9952fbbcd42a4e76b5417e66fc469f8715c326719c3a2e8142170fe0", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database-like image publishes only loopback host ports.", "evidence": {"ports": [{"raw": "127.0.0.1:9000:9000", "target": "9000", "host_ip": "127.0.0.1", "published": "9000"}, {"raw": "127.0.0.1:9001:9001", "target": "9001", "host_ip": "127.0.0.1", "published": "9001"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "minio", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "loopback", "correlation_key": "fp|d86b65db9952fbbcd42a4e76b5417e66fc469f8715c326719c3a2e8142170fe0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 28177, "scanner": "repobility-docker", "fingerprint": "25fda68d8d2ea5001df034d8d53e0fc8b35dead7fa19fb119cfff82c99d5fca2", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgres", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|25fda68d8d2ea5001df034d8d53e0fc8b35dead7fa19fb119cfff82c99d5fca2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 28175, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 28173, "scanner": "repobility-docker", "fingerprint": "9ca90d1039de6a8cb8808b651a45968a323bc74ca87648d19622324f7f47c538", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9ca90d1039de6a8cb8808b651a45968a323bc74ca87648d19622324f7f47c538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/Dockerfile"}, "region": {"startLine": 50}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 28172, "scanner": "repobility-docker", "fingerprint": "4a104e7b24cd10813c11091b457180f8c1a7f7559d727446002fc0d58333ee0a", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4a104e7b24cd10813c11091b457180f8c1a7f7559d727446002fc0d58333ee0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28170, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88b73265f8715231954f7b5e6237792c3b51989d96b79cd68fb0ec86dc7d9c37", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evals/stt/benchmark.py", "duplicate_line": 161, "correlation_key": "fp|88b73265f8715231954f7b5e6237792c3b51989d96b79cd68fb0ec86dc7d9c37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/stt/event_capture.py"}, "region": {"startLine": 175}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28169, "scanner": "repobility-ai-code-hygiene", "fingerprint": "174f1a02e235e4c82e98518c32baed8266be8559c774e4442fe700f0b04edbfe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/workflow/node_specs/agent.py", "duplicate_line": 58, "correlation_key": "fp|174f1a02e235e4c82e98518c32baed8266be8559c774e4442fe700f0b04edbfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/workflow/node_specs/start_call.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28168, "scanner": "repobility-ai-code-hygiene", "fingerprint": "629c362c00c58fa61ee8d9a6f4cb6b6b89b6ae9706832d2c2390c60a84174842", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/workflow/node_specs/agent.py", "duplicate_line": 94, "correlation_key": "fp|629c362c00c58fa61ee8d9a6f4cb6b6b89b6ae9706832d2c2390c60a84174842"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/workflow/node_specs/end_call.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28167, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a4d189e4c18ce83480072475ba4e892e51be1a8e0dc3d7593f5a8f2878974026", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/telephony/providers/plivo/provider.py", "duplicate_line": 238, "correlation_key": "fp|a4d189e4c18ce83480072475ba4e892e51be1a8e0dc3d7593f5a8f2878974026"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/telephony/status_processor.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28166, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0cde6d472950e7c027db56937abb4b05e178c06741f65170e62861e05a278b3c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/telephony/providers/ari/transport.py", "duplicate_line": 44, "correlation_key": "fp|0cde6d472950e7c027db56937abb4b05e178c06741f65170e62861e05a278b3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/telephony/providers/vonage/transport.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28165, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7281265a9462a24589bc05898a3e55c28996a1d3abdd1a0804d92ae29750ad4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/telephony/providers/plivo/provider.py", "duplicate_line": 255, "correlation_key": "fp|7281265a9462a24589bc05898a3e55c28996a1d3abdd1a0804d92ae29750ad4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/telephony/providers/vobiz/provider.py"}, "region": {"startLine": 268}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28164, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e317a3769e4eef8f63f0b09af0b9d3da348a83e703ac94c2b84b6f2f699798b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/telephony/providers/plivo/__init__.py", "duplicate_line": 28, "correlation_key": "fp|5e317a3769e4eef8f63f0b09af0b9d3da348a83e703ac94c2b84b6f2f699798b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/telephony/providers/vobiz/__init__.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28163, "scanner": "repobility-ai-code-hygiene", "fingerprint": "71cd3b59309e43a54ada540e68bd26623e5605c7d74d85c6f853a3be0cd2fee8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/telephony/providers/ari/transport.py", "duplicate_line": 46, "correlation_key": "fp|71cd3b59309e43a54ada540e68bd26623e5605c7d74d85c6f853a3be0cd2fee8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/telephony/providers/twilio/transport.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28162, "scanner": "repobility-ai-code-hygiene", "fingerprint": "acd9668bd24861db2c799e2f47b10d90284416864f0d86c5406af10764f52977", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/telephony/providers/plivo/routes.py", "duplicate_line": 55, "correlation_key": "fp|acd9668bd24861db2c799e2f47b10d90284416864f0d86c5406af10764f52977"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/telephony/providers/twilio/routes.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28161, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d20f91e40c56ad45a61ffaeb1017446f104c4df486d4cf75ca7f29a713a6e4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/telephony/providers/cloudonix/routes.py", "duplicate_line": 33, "correlation_key": "fp|8d20f91e40c56ad45a61ffaeb1017446f104c4df486d4cf75ca7f29a713a6e4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/telephony/providers/twilio/routes.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28160, "scanner": "repobility-ai-code-hygiene", "fingerprint": "556b3d63e26eece7cd80ab6895f91f91d3c6d60ada7b3412332719bb1aab959e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/telephony/providers/cloudonix/provider.py", "duplicate_line": 336, "correlation_key": "fp|556b3d63e26eece7cd80ab6895f91f91d3c6d60ada7b3412332719bb1aab959e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/telephony/providers/twilio/provider.py"}, "region": {"startLine": 219}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28159, "scanner": "repobility-ai-code-hygiene", "fingerprint": "792392082405ba963e1e5d1a43b932d44fa2e8c81ce9863c68392c8bb18a4649", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/telephony/providers/ari/transport.py", "duplicate_line": 46, "correlation_key": "fp|792392082405ba963e1e5d1a43b932d44fa2e8c81ce9863c68392c8bb18a4649"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/telephony/providers/telnyx/transport.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28158, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d96eb1b92529c4794eab5a61f58fa4381727badb2fade481aac7f63eb23ed48", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/telephony/providers/ari/transport.py", "duplicate_line": 44, "correlation_key": "fp|9d96eb1b92529c4794eab5a61f58fa4381727badb2fade481aac7f63eb23ed48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/telephony/providers/plivo/transport.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28157, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c059dbf72baf09ed30e0801a1b626ead7616f18e9cfc84c9745873ecdcfd0c82", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/telephony/providers/cloudonix/routes.py", "duplicate_line": 45, "correlation_key": "fp|c059dbf72baf09ed30e0801a1b626ead7616f18e9cfc84c9745873ecdcfd0c82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/telephony/providers/plivo/routes.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28156, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e140baee6c0b2966ea2cf4d338a00cf9c339578126b75a4dbc263cd77754a815", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/telephony/providers/ari/transport.py", "duplicate_line": 46, "correlation_key": "fp|e140baee6c0b2966ea2cf4d338a00cf9c339578126b75a4dbc263cd77754a815"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/telephony/providers/cloudonix/transport.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28155, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2302f9b96d3d32f0fa973581c93f3a8e22d654807bab41a55cc8575a94dd6326", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/pipecat/realtime/gemini_live.py", "duplicate_line": 88, "correlation_key": "fp|2302f9b96d3d32f0fa973581c93f3a8e22d654807bab41a55cc8575a94dd6326"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/pipecat/realtime/openai_realtime.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28154, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e6c631e3b0366c89fd7e3d744b84c85080574d317aaffebd2e6c4c481a9c0a6f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/services/campaign/sources/csv.py", "duplicate_line": 76, "correlation_key": "fp|e6c631e3b0366c89fd7e3d744b84c85080574d317aaffebd2e6c4c481a9c0a6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/services/campaign/sources/google_sheets.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28153, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ccd1f8c1922e3efccc67cc22e849754bfae5c028dd0dcfd96b7cb0878b4ca600", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/db/campaign_client.py", "duplicate_line": 168, "correlation_key": "fp|ccd1f8c1922e3efccc67cc22e849754bfae5c028dd0dcfd96b7cb0878b4ca600"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/db/workflow_run_client.py"}, "region": {"startLine": 242}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28152, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1bc1365ecdca476b4f45d273a5a752531b02d95b85c829b63fcb7c64edeb0b6c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/db/campaign_client.py", "duplicate_line": 519, "correlation_key": "fp|1bc1365ecdca476b4f45d273a5a752531b02d95b85c829b63fcb7c64edeb0b6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/db/organization_usage_client.py"}, "region": {"startLine": 297}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28151, "scanner": "repobility-ai-code-hygiene", "fingerprint": "147966271e2a469abf38db975cc8c5f4cc7e2fbbcf2e1bfe791e5883599e1e6c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/alembic/versions/488eb58e4e6e_add_cloudonix_mode.py", "duplicate_line": 25, "correlation_key": "fp|147966271e2a469abf38db975cc8c5f4cc7e2fbbcf2e1bfe791e5883599e1e6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/alembic/versions/f2e1d0c9b8a7_add_plivo_mode.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28150, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8c433213023a4d6b9ac190bae9ec3dc84e1c2e8889e6d3640aca31067f7a54fb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/alembic/versions/6d2f94baf4b7_add_ari_mode.py", "duplicate_line": 23, "correlation_key": "fp|8c433213023a4d6b9ac190bae9ec3dc84e1c2e8889e6d3640aca31067f7a54fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/alembic/versions/f2e1d0c9b8a7_add_plivo_mode.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28149, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d2a5015cfac54a3d2712e0ec13bad41f9f794603a1ce5bc5a0d3c60041464f71", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/alembic/versions/b3a1c7e94f12_add_telnyx_mode.py", "duplicate_line": 19, "correlation_key": "fp|d2a5015cfac54a3d2712e0ec13bad41f9f794603a1ce5bc5a0d3c60041464f71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/alembic/versions/f2e1d0c9b8a7_add_plivo_mode.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28148, "scanner": "repobility-ai-code-hygiene", "fingerprint": "44623e274bdbdfbf2ee5b9074ebdbc516462729699b40fe8f4820363a899d8fd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/alembic/versions/4d8e9b2a3c5f_drop_workflow_run_mode_enum.py", "duplicate_line": 21, "correlation_key": "fp|44623e274bdbdfbf2ee5b9074ebdbc516462729699b40fe8f4820363a899d8fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/alembic/versions/f2e1d0c9b8a7_add_plivo_mode.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28147, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bdb6289c8356da87abd4b20d4345f566c595d3a101bbd9ebfabe48b27a7499de", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/alembic/versions/a57d25b75117_add_vonage_and_rename_config.py", "duplicate_line": 21, "correlation_key": "fp|bdb6289c8356da87abd4b20d4345f566c595d3a101bbd9ebfabe48b27a7499de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/alembic/versions/e02f387b7538_add_embed_token_model.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28146, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da8b792088a26d4d01e415c7c333ffd18588e522e223805beeb1ca82a9d2114a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/alembic/versions/488eb58e4e6e_add_cloudonix_mode.py", "duplicate_line": 22, "correlation_key": "fp|da8b792088a26d4d01e415c7c333ffd18588e522e223805beeb1ca82a9d2114a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/alembic/versions/e02f387b7538_add_embed_token_model.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28145, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4b988ed3cfd357af16c8c9136c7015227102a43b607d94b73a0777d768e68350", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/alembic/versions/a188ff90e76f_add_vobiz_mode_for_workflow.py", "duplicate_line": 35, "correlation_key": "fp|4b988ed3cfd357af16c8c9136c7015227102a43b607d94b73a0777d768e68350"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/alembic/versions/e02f387b7538_add_embed_token_model.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28144, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ac3e3d0610446d74e6e17f4da94e7dc9aa482740ddf4af7c1972f116211cb6d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/alembic/versions/488eb58e4e6e_add_cloudonix_mode.py", "duplicate_line": 25, "correlation_key": "fp|0ac3e3d0610446d74e6e17f4da94e7dc9aa482740ddf4af7c1972f116211cb6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/alembic/versions/b3a1c7e94f12_add_telnyx_mode.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28143, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1f8a447dd72a1b28026055f97e60073fbfa6aa19f8c4d2877d595af6de315eaa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/alembic/versions/6d2f94baf4b7_add_ari_mode.py", "duplicate_line": 11, "correlation_key": "fp|1f8a447dd72a1b28026055f97e60073fbfa6aa19f8c4d2877d595af6de315eaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/alembic/versions/b3a1c7e94f12_add_telnyx_mode.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28142, "scanner": "repobility-ai-code-hygiene", "fingerprint": "092067450f581b4f200600773e3c583aaf0e6491cd9eba297b61dcb0d9c49a71", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/alembic/versions/488eb58e4e6e_add_cloudonix_mode.py", "duplicate_line": 36, "correlation_key": "fp|092067450f581b4f200600773e3c583aaf0e6491cd9eba297b61dcb0d9c49a71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/alembic/versions/a188ff90e76f_add_vobiz_mode_for_workflow.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28141, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a8cf2ac541f322c546550339b5ce89bd50fba6f5ae34118dd09d495fa056942", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/alembic/versions/488eb58e4e6e_add_cloudonix_mode.py", "duplicate_line": 25, "correlation_key": "fp|6a8cf2ac541f322c546550339b5ce89bd50fba6f5ae34118dd09d495fa056942"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/alembic/versions/6d2f94baf4b7_add_ari_mode.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 28138, "scanner": "repobility-threat-engine", "fingerprint": "f32814ff84a1194577b2667a83d81ee7d18b314f7d3ab997aed68ed6c06fe12c", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|294|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/public/embed/dograh-widget.js"}, "region": {"startLine": 294}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ui` image is selected through a build variable"}, "properties": {"repobilityId": 28190, "scanner": "repobility-docker", "fingerprint": "53c48ece4956114f9f192bbbc5c55359dd6abc2e02a78b28058335ce2854043a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REGISTRY:-dograhai}/dograh-ui:latest", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|53c48ece4956114f9f192bbbc5c55359dd6abc2e02a78b28058335ce2854043a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 206}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `api` image is selected through a build variable"}, "properties": {"repobilityId": 28186, "scanner": "repobility-docker", "fingerprint": "767f10ad58031c0cddfd3b9237fe053aaece3d6f411f06bbf24c78fc261be818", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REGISTRY:-dograhai}/dograh-api:latest", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|767f10ad58031c0cddfd3b9237fe053aaece3d6f411f06bbf24c78fc261be818"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 28136, "scanner": "repobility-threat-engine", "fingerprint": "7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 28135, "scanner": "repobility-threat-engine", "fingerprint": "ef905f74e2f48a416fa1c83be0896131495b14025e3efb37559d0b905ba6223a", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "random.randint(", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|52|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/tasks/run_integrations.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 28134, "scanner": "repobility-threat-engine", "fingerprint": "81d8942fdb452a9f5a22bd059df541d417aec0fe5e2e71b8ef66b9ff5c4ef514", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "random.randint(", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|api/routes/public_agent.py|166|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/routes/public_agent.py"}, "region": {"startLine": 166}}}]}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 28132, "scanner": "repobility-threat-engine", "fingerprint": "09a342afadf11f998ff72aae4f6dc6fdfc3a7a53fdd52d6a06632d6970e31c19", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|09a342afadf11f998ff72aae4f6dc6fdfc3a7a53fdd52d6a06632d6970e31c19"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 50 more): Same pattern found in 50 additional files. Review if needed."}, "properties": {"repobilityId": 28128, "scanner": "repobility-threat-engine", "fingerprint": "c24c804448fae5cf40fd0c060c0ccc965a5923f27f7c417da915e7e945fc7c72", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 50 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 50 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c24c804448fae5cf40fd0c060c0ccc965a5923f27f7c417da915e7e945fc7c72"}}}, {"ruleId": "SEC034", "level": "none", "message": {"text": "[SEC034] Log Injection / Log Forging \u2014 unsanitized user input in log (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 28124, "scanner": "repobility-threat-engine", "fingerprint": "1463c5f15774b141fd6a9008165a2e290be1368f339be01f9c278f6a91d8dc4b", "category": "log_injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC034", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1463c5f15774b141fd6a9008165a2e290be1368f339be01f9c278f6a91d8dc4b"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 28120, "scanner": "repobility-threat-engine", "fingerprint": "2171ce5698cfd563e3b739b571742ba580a8f71d964d7d93d91fa2cfa0a1a7c7", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2171ce5698cfd563e3b739b571742ba580a8f71d964d7d93d91fa2cfa0a1a7c7"}}}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 28225, "scanner": "repobility-journey-contract", "fingerprint": "0358ed72cf31e3bd4dd880c9bed90233e5d43c06341038a894fedf99e6bc3d8a", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|82|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/auth/signup/page.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 28224, "scanner": "repobility-journey-contract", "fingerprint": "0180b05735df781fa6d804f431db576f19c6094e70ed48d22f8ee76ad582941a", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|70|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/auth/login/page.tsx"}, "region": {"startLine": 70}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /results/:id/route."}, "properties": {"repobilityId": 28198, "scanner": "repobility-access-control", "fingerprint": "a5542541d5cefd8a4228c0025a570ebbc7cca8b4ac31b8ca39472d383c0f7c4e", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/results/:id/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / id /route.ts|7|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/visualizer/src/app/api/results/[id]/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 28179, "scanner": "repobility-docker", "fingerprint": "1ddd8e7f0cc8fdf1a5c24d2e2d07b912cbb4413bf2a923bd687c76c518f7b5cf", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|1ddd8e7f0cc8fdf1a5c24d2e2d07b912cbb4413bf2a923bd687c76c518f7b5cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 28127, "scanner": "repobility-threat-engine", "fingerprint": "f5ba9825c4833ffbed61216f8dc397f10c1b540380d9572809667ab5b863c6d4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(\n            f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f5ba9825c4833ffbed61216f8dc397f10c1b540380d9572809667ab5b863c6d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/routes/public_download.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 28126, "scanner": "repobility-threat-engine", "fingerprint": "04cdf223cbf27ce5907bac3dfcfa508daf5932e2fa238d2e1373167a7beada85", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(\n    r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|04cdf223cbf27ce5907bac3dfcfa508daf5932e2fa238d2e1373167a7beada85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/routes/knowledge_base.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 28125, "scanner": "repobility-threat-engine", "fingerprint": "aed9b194bf174ab9ef668bb881ca91d8374d552e3af87a620aca87fae43660a3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(\n    c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aed9b194bf174ab9ef668bb881ca91d8374d552e3af87a620aca87fae43660a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/routes/campaign.py"}, "region": {"startLine": 927}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 28119, "scanner": "repobility-threat-engine", "fingerprint": "c62533be2d842c0e16c6226fedd006bb634b19f7f44577aedad388d632f375a1", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.debug('[AfterSignInPage] Stack user detected, getting auth token...')", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|1|logger.debug aftersigninpage stack user detected getting auth token..."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/after-sign-in/page.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 28118, "scanner": "repobility-threat-engine", "fingerprint": "cdfa7e408542daac468895b9728ef3d76a0275e5bccb2db494d8e0a1a1cc6770", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.warning(f\"Invalid public access token: <redacted>}...\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|4|logger.warning f invalid public access token: redacted ..."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/routes/public_download.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 28117, "scanner": "repobility-threat-engine", "fingerprint": "87b1d9707dc44724ab0976e00df98e325f45f626dd4e73c3174c582611f964bf", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.info(f\"Created embed token {token} for workflow {workflow_id}\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|6|logger.info f created embed token token for workflow workflow_id"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/db/embed_token_client.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 28208, "scanner": "repobility-journey-contract", "fingerprint": "d0a6aecb6dd8625482992231bd5370bd5ca61ba5e773d2c2b9f87880194f3cb3", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|ui/src/app/workflow/ workflowid /run/ runid /hooks/usewebsocketrtc.tsx|96|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/app/workflow/[workflowId]/run/[runId]/hooks/useWebSocketRTC.tsx"}, "region": {"startLine": 96}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 28188, "scanner": "repobility-docker", "fingerprint": "c76a860c33dffbc9ecbeb15e9c45fc20a57414ad41d76cac664cceaf35872b03", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "api", "variable": "MINIO_ACCESS_KEY", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|c76a860c33dffbc9ecbeb15e9c45fc20a57414ad41d76cac664cceaf35872b03", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 124}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 28183, "scanner": "repobility-docker", "fingerprint": "10602e5ee604d4ee279b665c7f5a48a698d8863e380e9889336212c7fa0cece1", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "dograh-init", "variable": "TURN_SECRET", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|10602e5ee604d4ee279b665c7f5a48a698d8863e380e9889336212c7fa0cece1", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 61}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 28181, "scanner": "repobility-docker", "fingerprint": "84601bdd581d753100fc4dea27d54292eadf1da20cb5962fa71d44b4797f74ac", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "minio", "variable": "MINIO_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|84601bdd581d753100fc4dea27d54292eadf1da20cb5962fa71d44b4797f74ac", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 28178, "scanner": "repobility-docker", "fingerprint": "2844c041db6ac3367b6b794c831a7d8f74fbc38d9b72941d3be8b0f59592c8a3", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|2844c041db6ac3367b6b794c831a7d8f74fbc38d9b72941d3be8b0f59592c8a3", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR005", "level": "error", "message": {"text": "Docker image bakes a secret-like ENV value"}, "properties": {"repobilityId": 28176, "scanner": "repobility-docker", "fingerprint": "4efb5241c380e435db43f08ba26acc0e2a40015c0d5d26a1a527b094d1cd5f22", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ENV assigns a literal value to a secret-like variable name.", "evidence": {"rule_id": "DKR005", "scanner": "repobility-docker", "variable": "NEXT_PUBLIC_CHATWOOT_TOKEN", "references": ["https://docs.docker.com/build/building/secrets/", "https://docs.docker.com/compose/how-tos/environment-variables/best-practices/"], "correlation_key": "fp|4efb5241c380e435db43f08ba26acc0e2a40015c0d5d26a1a527b094d1cd5f22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/Dockerfile"}, "region": {"startLine": 42}}}]}]}]}