{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /ev"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /events/route."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /settings/users/rou"}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /settings/users/route."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 7.2% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 7.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 7.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wfc6-r584-vfw7", "name": "next: GHSA-wfc6-r584-vfw7", "shortDescription": {"text": "next: GHSA-wfc6-r584-vfw7"}, "fullDescription": {"text": "Next.js vulnerable to cache poisoning in React Server Component responses"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-h64f-5h5j-jqjh", "name": "next: GHSA-h64f-5h5j-jqjh", "shortDescription": {"text": "next: GHSA-h64f-5h5j-jqjh"}, "fullDescription": {"text": "Next.js has a Denial of Service in the Image Optimization API"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gx5p-jg67-6x7h", "name": "next: GHSA-gx5p-jg67-6x7h", "shortDescription": {"text": "next: GHSA-gx5p-jg67-6x7h"}, "fullDescription": {"text": "Next.js has cross-site scripting in beforeInteractive scripts with untrusted input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ffhc-5mcf-pf4q", "name": "next: GHSA-ffhc-5mcf-pf4q", "shortDescription": {"text": "next: GHSA-ffhc-5mcf-pf4q"}, "fullDescription": {"text": "Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2v4-37r5-5v8g", "name": "ip-address: GHSA-v2v4-37r5-5v8g", "shortDescription": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "fullDescription": {"text": "ip-address has XSS in Address6 HTML-emitting methods"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xrhx-7g5j-rcj5", "name": "hono: GHSA-xrhx-7g5j-rcj5", "shortDescription": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "fullDescription": {"text": "Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qp7p-654g-cw7p", "name": "hono: GHSA-qp7p-654g-cw7p", "shortDescription": {"text": "hono: GHSA-qp7p-654g-cw7p"}, "fullDescription": {"text": "Hono has CSS Declaration Injection via Style Object Values in JSX SSR"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p77w-8qqv-26rm", "name": "hono: GHSA-p77w-8qqv-26rm", "shortDescription": {"text": "hono: GHSA-p77w-8qqv-26rm"}, "fullDescription": {"text": "Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f577-qrjj-4474", "name": "hono: GHSA-f577-qrjj-4474", "shortDescription": {"text": "hono: GHSA-f577-qrjj-4474"}, "fullDescription": {"text": "Hono: JWT middleware accepts any Authorization scheme, not only Bearer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9vqf-7f2p-gf9v", "name": "hono: GHSA-9vqf-7f2p-gf9v", "shortDescription": {"text": "hono: GHSA-9vqf-7f2p-gf9v"}, "fullDescription": {"text": "Hono: bodyLimit() can be bypassed for chunked / unknown-length requests"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-69xw-7hcm-h432", "name": "hono: GHSA-69xw-7hcm-h432", "shortDescription": {"text": "hono: GHSA-69xw-7hcm-h432"}, "fullDescription": {"text": "hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3hrh-pfw6-9m5x", "name": "hono: GHSA-3hrh-pfw6-9m5x", "shortDescription": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "fullDescription": {"text": "Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2gcr-mfcq-wcc3", "name": "hono: GHSA-2gcr-mfcq-wcc3", "shortDescription": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "fullDescription": {"text": "Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AGT011", "name": "Audit export may include unredacted sensitive metadata", "shortDescription": {"text": "Audit export may include unredacted sensitive metadata"}, "fullDescription": {"text": "Audit logs can be useful live state, but exported debug bundles should redact user messages, transcripts, connector payloads, and large metadata values before sharing."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@types/bcryptjs` is 1 major version(s) behind (2.4.6 -> 3.0.0)", "shortDescription": {"text": "npm package `@types/bcryptjs` is 1 major version(s) behind (2.4.6 -> 3.0.0)"}, "fullDescription": {"text": "`@types/bcryptjs` is pinned/resolved at 2.4.6 but the latest stable release on the npm registry is 3.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-vfv6-92ff-j949", "name": "next: GHSA-vfv6-92ff-j949", "shortDescription": {"text": "next: GHSA-vfv6-92ff-j949"}, "fullDescription": {"text": "Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3g8h-86w9-wvmq", "name": "next: GHSA-3g8h-86w9-wvmq", "shortDescription": {"text": "next: GHSA-3g8h-86w9-wvmq"}, "fullDescription": {"text": "Next.js's Middleware / Proxy redirects can be cache-poisoned"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-hm8q-7f3q-5f36", "name": "hono: GHSA-hm8q-7f3q-5f36", "shortDescription": {"text": "hono: GHSA-hm8q-7f3q-5f36"}, "fullDescription": {"text": "Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 61 more): Same pattern found in 61 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 61 more): Same pattern found in 61 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /approvals/:id/route."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /approvals/:id/route."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "GHSA-mg66-mrh9-m8jx", "name": "next: GHSA-mg66-mrh9-m8jx", "shortDescription": {"text": "next: GHSA-mg66-mrh9-m8jx"}, "fullDescription": {"text": "Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c4j6-fc7j-m34r", "name": "next: GHSA-c4j6-fc7j-m34r", "shortDescription": {"text": "next: GHSA-c4j6-fc7j-m34r"}, "fullDescription": {"text": "Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8h8q-6873-q5fj", "name": "next: GHSA-8h8q-6873-q5fj", "shortDescription": {"text": "next: GHSA-8h8q-6873-q5fj"}, "fullDescription": {"text": "Next.js Vulnerable to Denial of Service with Server Components"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-492v-c6pp-mqqv", "name": "next: GHSA-492v-c6pp-mqqv", "shortDescription": {"text": "next: GHSA-492v-c6pp-mqqv"}, "fullDescription": {"text": "Next.js has a Middleware / Proxy bypass through dynamic route parameter injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-36qx-fr4f-26g5", "name": "next: GHSA-36qx-fr4f-26g5", "shortDescription": {"text": "next: GHSA-36qx-fr4f-26g5"}, "fullDescription": {"text": "Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-26hh-7cqf-hhc6", "name": "next: GHSA-26hh-7cqf-hhc6", "shortDescription": {"text": "next: GHSA-26hh-7cqf-hhc6"}, "fullDescription": {"text": "Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-267c-6grr-h53f", "name": "next: GHSA-267c-6grr-h53f", "shortDescription": {"text": "next: GHSA-267c-6grr-h53f"}, "fullDescription": {"text": "Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-6v9c-7cg6-27q7", "name": "marked: GHSA-6v9c-7cg6-27q7", "shortDescription": {"text": "marked: GHSA-6v9c-7cg6-27q7"}, "fullDescription": {"text": "Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v39h-62p7-jpjc", "name": "fast-uri: GHSA-v39h-62p7-jpjc", "shortDescription": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "fullDescription": {"text": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3j6-qgpj-74h6", "name": "fast-uri: GHSA-q3j6-qgpj-74h6", "shortDescription": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "fullDescription": {"text": "fast-uri vulnerable to path traversal via percent-encoded dot segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT003", "name": "User-editable role instructions are inserted into the system prompt", "shortDescription": {"text": "User-editable role instructions are inserted into the system prompt"}, "fullDescription": {"text": "Fleet or role instructions that users can edit should be treated as untrusted configuration. Prepending them to every system prompt lets stored text override runtime behavior."}, "properties": {"scanner": "repobility-agent-runtime", "category": "llm_injection", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "Phantom test coverage: test_fail_fast_nontransient", "shortDescription": {"text": "Phantom test coverage: test_fail_fast_nontransient"}, "fullDescription": {"text": "Test function `test_fail_fast_nontransient` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.cost` used but never assigned in __init__", "shortDescription": {"text": "`self.cost` used but never assigned in __init__"}, "fullDescription": {"text": "Method `summary_line` of class `UsageTracker` reads `self.cost`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "A frontend flow appears to combine a caller-controlled callback/redirect parameter with a token-bearing URL or fragment. This can exfiltrate sessions when callback validation is incomplete."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "jwt", "name": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.", "shortDescription": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.CI_ADMIN_PASSWORD` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.CI_ADMIN_PASSWORD` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CI_ADMIN_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1094"}, "properties": {"repository": "grandamenium/cortextos", "repoUrl": "https://github.com/grandamenium/cortextos", "branch": "main"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107407, "scanner": "repobility-journey-contract", "fingerprint": "9dd317d72cb21a2fb43c41787d11c891c8d24b97025f2347b5df06185ab105ee", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/workflows/crons", "correlation_key": "fp|9dd317d72cb21a2fb43c41787d11c891c8d24b97025f2347b5df06185ab105ee", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/workflows/page.tsx"}, "region": {"startLine": 197}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107406, "scanner": "repobility-journey-contract", "fingerprint": "d6fde4f5068dc668a79926c5aa28ab7b4205743bea4174f28c3229a3e639c499", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/workflows/health", "correlation_key": "fp|d6fde4f5068dc668a79926c5aa28ab7b4205743bea4174f28c3229a3e639c499", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/workflows/page.tsx"}, "region": {"startLine": 179}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107405, "scanner": "repobility-journey-contract", "fingerprint": "88ab6dcd94da851960537deb4d9f63c1cdfd5e629ace48d4deb9f965fcb68b09", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/agents", "correlation_key": "fp|88ab6dcd94da851960537deb4d9f63c1cdfd5e629ace48d4deb9f965fcb68b09", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/workflows/new/page.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107404, "scanner": "repobility-journey-contract", "fingerprint": "3ade0f1fba5571893853a875179aa66cdb51a9565c127d735ad8773c0850b04f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/workflows/health", "correlation_key": "fp|3ade0f1fba5571893853a875179aa66cdb51a9565c127d735ad8773c0850b04f", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/workflows/health/page.tsx"}, "region": {"startLine": 142}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107403, "scanner": "repobility-journey-contract", "fingerprint": "d00fd6ab6578948c68c4554642edda7198b073dc2d8b1d505024843b436bff33", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/agents", "correlation_key": "fp|d00fd6ab6578948c68c4554642edda7198b073dc2d8b1d505024843b436bff33", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/workflows/[agent]/[name]/page.tsx"}, "region": {"startLine": 98}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107402, "scanner": "repobility-journey-contract", "fingerprint": "dc603fabbd0b624dd6c27cc792c0435007d759f0f3c10fae68b037346165cb1d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/tasks/{param}", "correlation_key": "fp|dc603fabbd0b624dd6c27cc792c0435007d759f0f3c10fae68b037346165cb1d", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/tasks/page.tsx"}, "region": {"startLine": 121}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107401, "scanner": "repobility-journey-contract", "fingerprint": "075d3f51ab5a9caeeca26527e6000de26b2de5b0733472061cc7d27518343b3c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/tasks/{param}", "correlation_key": "fp|075d3f51ab5a9caeeca26527e6000de26b2de5b0733472061cc7d27518343b3c", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/tasks/page.tsx"}, "region": {"startLine": 103}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107400, "scanner": "repobility-journey-contract", "fingerprint": "c3b07c1650a7fe6df460726223bc08b211e7fea00b18fc8f64cc2af8610f0192", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/experiments{param}", "correlation_key": "fp|c3b07c1650a7fe6df460726223bc08b211e7fea00b18fc8f64cc2af8610f0192", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/experiments/page.tsx"}, "region": {"startLine": 167}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107399, "scanner": "repobility-journey-contract", "fingerprint": "f179ca80c4b3d16a4bf2f211e471f94a348c6e2dc4cce129fec8bf85116accaa", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/comms/channels", "correlation_key": "fp|f179ca80c4b3d16a4bf2f211e471f94a348c6e2dc4cce129fec8bf85116accaa", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/comms/page.tsx"}, "region": {"startLine": 83}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107398, "scanner": "repobility-journey-contract", "fingerprint": "35dcb3cac8c8aa4f8af923c0b9435274ffcf01b1d02a3eae8a129c5631a45b8d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/comms/feed", "correlation_key": "fp|35dcb3cac8c8aa4f8af923c0b9435274ffcf01b1d02a3eae8a129c5631a45b8d", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/comms/page.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107397, "scanner": "repobility-journey-contract", "fingerprint": "a62016d35df95e1ce4e5dc31856c07982630c0711ffff7d9a838d33d3c183e5e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/agents", "correlation_key": "fp|a62016d35df95e1ce4e5dc31856c07982630c0711ffff7d9a838d33d3c183e5e", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/comms/page.tsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107396, "scanner": "repobility-journey-contract", "fingerprint": "164bc8dfe819f8983724f860710f4a0c13f03de099e3ac32395b027c69fedf3c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/tasks/{param}", "correlation_key": "fp|164bc8dfe819f8983724f860710f4a0c13f03de099e3ac32395b027c69fedf3c", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/approvals/page.tsx"}, "region": {"startLine": 173}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107395, "scanner": "repobility-journey-contract", "fingerprint": "f9bc3c4337a457e6635bd4e7f82db917d3d165da7e1c2ebfa8678dbb47861e60", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/approvals/{param}", "correlation_key": "fp|f9bc3c4337a457e6635bd4e7f82db917d3d165da7e1c2ebfa8678dbb47861e60", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/approvals/page.tsx"}, "region": {"startLine": 77}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107394, "scanner": "repobility-journey-contract", "fingerprint": "207647d87267902e7d8a0aafe9b98a64d6617c2cfa9a2507753c4587d22dc163", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/approvals", "correlation_key": "fp|207647d87267902e7d8a0aafe9b98a64d6617c2cfa9a2507753c4587d22dc163", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/approvals/page.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 107393, "scanner": "repobility-journey-contract", "fingerprint": "b28da596b830fdfdd97b1d40288ee299f8172116c3c9fa0ccdc49e1b387f9e41", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/setup", "correlation_key": "fp|b28da596b830fdfdd97b1d40288ee299f8172116c3c9fa0ccdc49e1b387f9e41", "backend_endpoint_count": 69}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(auth)/login/page.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /events/route."}, "properties": {"repobilityId": 107391, "scanner": "repobility-access-control", "fingerprint": "0d734aa99d8865f4f45385e1d51f46a72f8b1012be9083ab8061b8ee3115db30", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/events/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|18|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/events/route.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /tasks/route."}, "properties": {"repobilityId": 107390, "scanner": "repobility-access-control", "fingerprint": "49d120f98f520b1febd37be9d77cd1e9fff056d234bfa0ece6388c10f16d9223", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/tasks/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|24|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/tasks/route.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /agents/route."}, "properties": {"repobilityId": 107389, "scanner": "repobility-access-control", "fingerprint": "554eaf0d8c53bfe069dc5efe5bb4beb4be5278bc7464951721fa3a04ccb29041", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/agents/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|51|cwe-285", "duplicate_count": 1, "identity_targets": ["unknown"], "duplicate_rule_ids": ["AUC009"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["554eaf0d8c53bfe069dc5efe5bb4beb4be5278bc7464951721fa3a04ccb29041", "783b07649527ee7bf05e44750c384ad0340124ac4ee087749f2b19950834e4b3"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/agents/route.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /agents/route."}, "properties": {"repobilityId": 107388, "scanner": "repobility-access-control", "fingerprint": "a64c5170513b5d770acbb69261cceb7ee845be8791742f84a06c9361b9475669", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/agents/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|22|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/agents/route.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /approvals/route."}, "properties": {"repobilityId": 107387, "scanner": "repobility-access-control", "fingerprint": "518eab5bdb8c1b4824c79c5bc5915895bc407b288df4513ae6860e11f850d78e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/approvals/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|20|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/approvals/route.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /skills/route."}, "properties": {"repobilityId": 107386, "scanner": "repobility-access-control", "fingerprint": "4d84bcaf3d23aea11dea6f3ace8ee2159f1fef6697bd65d4e650543d5c14c3af", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/skills/route", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|114|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/skills/route.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /skills/route."}, "properties": {"repobilityId": 107385, "scanner": "repobility-access-control", "fingerprint": "dd1fc95235d2014217301a753fd79e69e4b5fa0068d05c3a7525d95cb102bf90", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/skills/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|87|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/skills/route.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /quota/route."}, "properties": {"repobilityId": 107384, "scanner": "repobility-access-control", "fingerprint": "ee317e2fc840ea2ae7e53f9a8e0d85c33c6758e1633ef3d901079d5e94802dd3", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/quota/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|5|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/quota/route.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /experiments/route."}, "properties": {"repobilityId": 107383, "scanner": "repobility-access-control", "fingerprint": "d8675f3700fe285d9347b62628c2089234a0d538f8079113f2a211989bef9cdd", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/experiments/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|168|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/experiments/route.ts"}, "region": {"startLine": 168}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /settings/users/route."}, "properties": {"repobilityId": 107382, "scanner": "repobility-access-control", "fingerprint": "904ac49e700b45eb3de1dba162161db543cb4d54137dee2d55720c308801eba9", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings/users/route", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|42|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/settings/users/route.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /settings/users/route."}, "properties": {"repobilityId": 107381, "scanner": "repobility-access-control", "fingerprint": "12ed92125ba4ab8d1a9c3ae4885b4e74771a3911f34ea5acc2787602d57dd150", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings/users/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|23|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/settings/users/route.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/telegram/route."}, "properties": {"repobilityId": 107380, "scanner": "repobility-access-control", "fingerprint": "27ce498e4bd63e7477233f52b7e65811857f149874a3ce402d1f2f38d5b20112", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/settings/telegram/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|13|cwe-285", "duplicate_count": 1, "identity_targets": ["unknown", "admin"], "duplicate_rule_ids": ["AUC004"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["1f734722918bf12e9be3d6e48b8a01bf24e1070d343c9114cfd1d8ebd82b582e", "27ce498e4bd63e7477233f52b7e65811857f149874a3ce402d1f2f38d5b20112"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/settings/telegram/route.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /settings/system/route."}, "properties": {"repobilityId": 107379, "scanner": "repobility-access-control", "fingerprint": "4cda747a93928cf9f1a9986eee031744ee14b82232889c9c49e55fcd39bad126", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings/system/route", "method": "PUT", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|40|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/settings/system/route.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/system/route."}, "properties": {"repobilityId": 107378, "scanner": "repobility-access-control", "fingerprint": "05730eeaba97a7780de3316b8a3ed10ff4f937a09ac6e5f1201c285e5fe92732", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings/system/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|31|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/settings/system/route.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 7.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 107371, "scanner": "repobility-access-control", "fingerprint": "e47ffcdc15f0932602b17e1731adff773ce975ab8985aa09da11b31b08f24a32", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 69, "correlation_key": "fp|e47ffcdc15f0932602b17e1731adff773ce975ab8985aa09da11b31b08f24a32", "auth_visible_percent": 7.2}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 107370, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 107369, "scanner": "osv-scanner", "fingerprint": "33aa829b4458c5ef73d832c9e568cf3032217bd31f4b18cc6a572d90111a50bb", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 107368, "scanner": "osv-scanner", "fingerprint": "46e610270d4f18d9695d82b6c319e9ad62b71e7d4d29cc235186acdf531db62e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 107367, "scanner": "osv-scanner", "fingerprint": "93a4420e76bc028a70deb78fe3198bd18394abbc0cd1e04b30c31e70529aa963", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wfc6-r584-vfw7", "level": "warning", "message": {"text": "next: GHSA-wfc6-r584-vfw7"}, "properties": {"repobilityId": 107366, "scanner": "osv-scanner", "fingerprint": "59b9c67ec429f9d57fd4d3160ff2d09af864f3f8706074dbc9331e4660dfe657", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44576"], "package": "next", "rule_id": "GHSA-wfc6-r584-vfw7", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44576|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-h64f-5h5j-jqjh", "level": "warning", "message": {"text": "next: GHSA-h64f-5h5j-jqjh"}, "properties": {"repobilityId": 107363, "scanner": "osv-scanner", "fingerprint": "209126e3da6b9b0502f85bf2e7c920ca87bee18935c46b6c9ed5d9d2e5434ad0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44577"], "package": "next", "rule_id": "GHSA-h64f-5h5j-jqjh", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44577|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gx5p-jg67-6x7h", "level": "warning", "message": {"text": "next: GHSA-gx5p-jg67-6x7h"}, "properties": {"repobilityId": 107362, "scanner": "osv-scanner", "fingerprint": "097c1001e29c32e6ba2208fe4d0cb3f383d2a186f94473c75ba971aaa013556e", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44580"], "package": "next", "rule_id": "GHSA-gx5p-jg67-6x7h", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44580|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ffhc-5mcf-pf4q", "level": "warning", "message": {"text": "next: GHSA-ffhc-5mcf-pf4q"}, "properties": {"repobilityId": 107361, "scanner": "osv-scanner", "fingerprint": "76be4f7988c729675c2670827e6d8b0eb910f131e62bd713c9e3b7011ceb26ae", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44581"], "package": "next", "rule_id": "GHSA-ffhc-5mcf-pf4q", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44581|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2v4-37r5-5v8g", "level": "warning", "message": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "properties": {"repobilityId": 107352, "scanner": "osv-scanner", "fingerprint": "ac447eea89a7cbe5c8ff3234698b84e3fc0013ed4600448fc496c25bb41a6faa", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42338"], "package": "ip-address", "rule_id": "GHSA-v2v4-37r5-5v8g", "scanner": "osv-scanner", "correlation_key": "vuln|ip-address|CVE-2026-42338|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xrhx-7g5j-rcj5", "level": "warning", "message": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "properties": {"repobilityId": 107351, "scanner": "osv-scanner", "fingerprint": "509907306ea7000641cf9bf44e496b502ef5b0f89f5ed594ac4b9e99697e1797", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47674"], "package": "hono", "rule_id": "GHSA-xrhx-7g5j-rcj5", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47674|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qp7p-654g-cw7p", "level": "warning", "message": {"text": "hono: GHSA-qp7p-654g-cw7p"}, "properties": {"repobilityId": 107350, "scanner": "osv-scanner", "fingerprint": "bfa834f23f93395d699a85581201b67c133659754bc0cb6e1ece527844ede3a5", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44458"], "package": "hono", "rule_id": "GHSA-qp7p-654g-cw7p", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44458|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p77w-8qqv-26rm", "level": "warning", "message": {"text": "hono: GHSA-p77w-8qqv-26rm"}, "properties": {"repobilityId": 107349, "scanner": "osv-scanner", "fingerprint": "b0b143ee070c169bc5fd8e2d23edf14bb3adf49ddf70bc373219a13233878049", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44457"], "package": "hono", "rule_id": "GHSA-p77w-8qqv-26rm", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44457|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f577-qrjj-4474", "level": "warning", "message": {"text": "hono: GHSA-f577-qrjj-4474"}, "properties": {"repobilityId": 107347, "scanner": "osv-scanner", "fingerprint": "10dde66659b992f7d30494a65213e81994476dac25526a22950ff7ea7ca5155c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47673"], "package": "hono", "rule_id": "GHSA-f577-qrjj-4474", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47673|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9vqf-7f2p-gf9v", "level": "warning", "message": {"text": "hono: GHSA-9vqf-7f2p-gf9v"}, "properties": {"repobilityId": 107346, "scanner": "osv-scanner", "fingerprint": "c46f9801c59ad608cfe2545a9f629fcdaebebc6ea7cb2e8094ae9e76f036a423", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44456"], "package": "hono", "rule_id": "GHSA-9vqf-7f2p-gf9v", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44456|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-69xw-7hcm-h432", "level": "warning", "message": {"text": "hono: GHSA-69xw-7hcm-h432"}, "properties": {"repobilityId": 107345, "scanner": "osv-scanner", "fingerprint": "63c3266c9de4eff4c41b280b445574573083edaf5eea772fb974d9d6a1206fc9", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44455"], "package": "hono", "rule_id": "GHSA-69xw-7hcm-h432", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44455|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3hrh-pfw6-9m5x", "level": "warning", "message": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "properties": {"repobilityId": 107344, "scanner": "osv-scanner", "fingerprint": "0602b774a86d6eb50810e624f26c9a52ef97d310d58737b359a79187f86ecfec", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47675"], "package": "hono", "rule_id": "GHSA-3hrh-pfw6-9m5x", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47675|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2gcr-mfcq-wcc3", "level": "warning", "message": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "properties": {"repobilityId": 107343, "scanner": "osv-scanner", "fingerprint": "8311ca9d721e2dd10e53cee5efb1226f42d0f29b747d40f0a897ee2770b830e0", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47676"], "package": "hono", "rule_id": "GHSA-2gcr-mfcq-wcc3", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47676|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 107340, "scanner": "osv-scanner", "fingerprint": "6fb66748b8d116aae73860be66fbf388e73e036a7a687c213f199c066e3f5dd1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 107331, "scanner": "repobility-threat-engine", "fingerprint": "de2a3f591a1afad2459119c602e5d23712d8b427614a4243083e53446ea01a68", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|src/bus/cron-state.ts|84|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/bus/cron-state.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 107330, "scanner": "repobility-threat-engine", "fingerprint": "62d1730928e5cc0c26945142703d415dfa95a05efa7a6416c29fa0460b122ea7", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|32|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/components/wiki/wiki-renderer.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 107312, "scanner": "repobility-threat-engine", "fingerprint": "c0c762450abf94bceb5cc2ebcdf69cae83bb6545bd4c126832a7af22a0b4cb6e", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c0c762450abf94bceb5cc2ebcdf69cae83bb6545bd4c126832a7af22a0b4cb6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(auth)/login/page.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 107295, "scanner": "repobility-agent-runtime", "fingerprint": "ab633a74725426c62d4a1fab4225b2ed6c0cf0971424edba7e55992976147178", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ab633a74725426c62d4a1fab4225b2ed6c0cf0971424edba7e55992976147178"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/types/index.ts"}, "region": {"startLine": 168}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 107294, "scanner": "repobility-agent-runtime", "fingerprint": "42ef43d67d56af3cc160cbd65e639ca7826191935eba45a1d720d52f7f0bc3f8", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|42ef43d67d56af3cc160cbd65e639ca7826191935eba45a1d720d52f7f0bc3f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pty/codex-app-server-pty.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 107293, "scanner": "repobility-agent-runtime", "fingerprint": "85b4b647a0b54c8ad5521383d0a75b25a13cf2ffda66e97f0b359956f7cd1423", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|85b4b647a0b54c8ad5521383d0a75b25a13cf2ffda66e97f0b359956f7cd1423"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pty/agent-pty.ts"}, "region": {"startLine": 247}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 107292, "scanner": "repobility-agent-runtime", "fingerprint": "81300e2ffa94a298618f6b2ebde63fb501f5354ae454a64a8917cec7005a7607", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|81300e2ffa94a298618f6b2ebde63fb501f5354ae454a64a8917cec7005a7607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/daemon/agent-manager.ts"}, "region": {"startLine": 374}}}]}, {"ruleId": "AGT011", "level": "warning", "message": {"text": "Audit export may include unredacted sensitive metadata"}, "properties": {"repobilityId": 107291, "scanner": "repobility-agent-runtime", "fingerprint": "aa2bb13f1fe81e27f2eae93cc4e4c835c10a271bf6ebe9c7eaf581c5026ff1a4", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to log meta dictionaries and export or stringify audit data without visible redaction/scrubbing.", "evidence": {"rule_id": "AGT011", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|aa2bb13f1fe81e27f2eae93cc4e4c835c10a271bf6ebe9c7eaf581c5026ff1a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/bus.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 107290, "scanner": "repobility-agent-runtime", "fingerprint": "59ce4ce0f92f5fd10688bb2fe2479f01f99586e67647811928f1723910a2ed2d", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|59ce4ce0f92f5fd10688bb2fe2479f01f99586e67647811928f1723910a2ed2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/bus.ts"}, "region": {"startLine": 210}}}]}, {"ruleId": "AGT011", "level": "warning", "message": {"text": "Audit export may include unredacted sensitive metadata"}, "properties": {"repobilityId": 107289, "scanner": "repobility-agent-runtime", "fingerprint": "a8e67da509bc6ffcf426fdb95f86bd732ee4400962df3d1244ce1b6182ca06f9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to log meta dictionaries and export or stringify audit data without visible redaction/scrubbing.", "evidence": {"rule_id": "AGT011", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a8e67da509bc6ffcf426fdb95f86bd732ee4400962df3d1244ce1b6182ca06f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/bus/task.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 107288, "scanner": "repobility-agent-runtime", "fingerprint": "8fb69a3e7cb273c44fe2a2f901d3db189d69bc49ed3b999fe736b5aad64b116c", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8fb69a3e7cb273c44fe2a2f901d3db189d69bc49ed3b999fe736b5aad64b116c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/lib/cost-parser.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 107287, "scanner": "repobility-agent-runtime", "fingerprint": "2ed1afcf3a8ac6e2665c049f561fc908d52ce0895a74a256c0d075c8ddac87bb", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|2ed1afcf3a8ac6e2665c049f561fc908d52ce0895a74a256c0d075c8ddac87bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/comms/page.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/bcryptjs` is 1 major version(s) behind (2.4.6 -> 3.0.0)"}, "properties": {"repobilityId": 107286, "scanner": "repobility-dependency-currency", "fingerprint": "031b313f0e78e3ff6881eeff28cc3e1c3618775d5306a1f45258b00adc9a8863", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/bcryptjs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.0", "correlation_key": "fp|031b313f0e78e3ff6881eeff28cc3e1c3618775d5306a1f45258b00adc9a8863", "current_version": "2.4.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `commander` is 1 major version(s) behind (14.0.3 -> 15.0.0)"}, "properties": {"repobilityId": 107275, "scanner": "repobility-dependency-currency", "fingerprint": "5e74fe5a7f36059c3aa1668ed050b9cce675375b8cb64b15c22026841de9c7d4", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "commander", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "15.0.0", "correlation_key": "fp|5e74fe5a7f36059c3aa1668ed050b9cce675375b8cb64b15c22026841de9c7d4", "current_version": "14.0.3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107271, "scanner": "repobility-ast-engine", "fingerprint": "34295714101a5a7a11065d9f0f81c4d67bd6bca6a7b3b393e495b5d082ddfb16", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|34295714101a5a7a11065d9f0f81c4d67bd6bca6a7b3b393e495b5d082ddfb16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/_test_clients/test_retry.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107270, "scanner": "repobility-ast-engine", "fingerprint": "f9bf7749bc1f8870f2505eee21f4564f71d678c40cb3cac8b2c3d65e091d4261", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f9bf7749bc1f8870f2505eee21f4564f71d678c40cb3cac8b2c3d65e091d4261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/_test_clients/test_retry.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107266, "scanner": "repobility-ast-engine", "fingerprint": "351d30d937da1910f617c853b64a5e154adf545d379cb622c64e72e38f917028", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|351d30d937da1910f617c853b64a5e154adf545d379cb622c64e72e38f917028"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107265, "scanner": "repobility-ast-engine", "fingerprint": "c50837f465b6ff5eaf80fa0afd9be8c822d56ceaa255d136a9b538e2632775a7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c50837f465b6ff5eaf80fa0afd9be8c822d56ceaa255d136a9b538e2632775a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 1112}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107264, "scanner": "repobility-ast-engine", "fingerprint": "2d6ef64a91c4b9b67d35a675189e396a11faf564461c3503b1ca55c85d72cba0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2d6ef64a91c4b9b67d35a675189e396a11faf564461c3503b1ca55c85d72cba0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 1102}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107263, "scanner": "repobility-ast-engine", "fingerprint": "f8adb7f4c29a1b038bf8110b8e80690baa936b8177880e01aef0bc71b76f4dda", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f8adb7f4c29a1b038bf8110b8e80690baa936b8177880e01aef0bc71b76f4dda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 765}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107262, "scanner": "repobility-ast-engine", "fingerprint": "6cab5939ff93ebd920423c1a93719293002f08a2c57544a834ea9f997949aa76", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6cab5939ff93ebd920423c1a93719293002f08a2c57544a834ea9f997949aa76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 660}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107261, "scanner": "repobility-ast-engine", "fingerprint": "ea37c5cc8e3b9a5df4ffb7389b1282c31a438284e10794b38b26a6f6bc0efdcd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ea37c5cc8e3b9a5df4ffb7389b1282c31a438284e10794b38b26a6f6bc0efdcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 756}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107260, "scanner": "repobility-ast-engine", "fingerprint": "9933871385e1417f2245836a45abd308e4289424e8d155632523181f0ad40854", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9933871385e1417f2245836a45abd308e4289424e8d155632523181f0ad40854"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 674}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107259, "scanner": "repobility-ast-engine", "fingerprint": "ddef1381e30978d14903673441b52648390aac98d22d470a709ff2fb47811f02", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ddef1381e30978d14903673441b52648390aac98d22d470a709ff2fb47811f02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 641}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107258, "scanner": "repobility-ast-engine", "fingerprint": "22e5ca445aad6ec8638f5c6cd1faa6e0b0c70a651aa5c84a4aab354b997acda0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|22e5ca445aad6ec8638f5c6cd1faa6e0b0c70a651aa5c84a4aab354b997acda0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 723}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107257, "scanner": "repobility-ast-engine", "fingerprint": "31131b3ada345593a25165976ea1e0b017a27b9d924621210a70a9cdadeec2ae", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|31131b3ada345593a25165976ea1e0b017a27b9d924621210a70a9cdadeec2ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 1424}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107256, "scanner": "repobility-ast-engine", "fingerprint": "635dcec175bda6da99c532c5f134591694429195978ff625642ffaa939f5f6b7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|635dcec175bda6da99c532c5f134591694429195978ff625642ffaa939f5f6b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 1387}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107255, "scanner": "repobility-ast-engine", "fingerprint": "2ff4c7e292b5182ae07fd815624c75c3208a3bfb6e5871af2a6b42d1b4b85c2b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2ff4c7e292b5182ae07fd815624c75c3208a3bfb6e5871af2a6b42d1b4b85c2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 1202}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107254, "scanner": "repobility-ast-engine", "fingerprint": "001590e4f3d3159314ee3ac894cf49afd3387ab47153a126a0e708a49c9aeee9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|001590e4f3d3159314ee3ac894cf49afd3387ab47153a126a0e708a49c9aeee9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 959}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 107253, "scanner": "repobility-ast-engine", "fingerprint": "ddca66d63eeb0c0d8ca6317a4b146bb27afdddd44de0e31746b0687a04005708", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ddca66d63eeb0c0d8ca6317a4b146bb27afdddd44de0e31746b0687a04005708"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 562}}}]}, {"ruleId": "GHSA-vfv6-92ff-j949", "level": "note", "message": {"text": "next: GHSA-vfv6-92ff-j949"}, "properties": {"repobilityId": 107365, "scanner": "osv-scanner", "fingerprint": "32efd1992a5da4bd2ad11d909bf2e5aaa2068e9d96dd12436a9671a5b758a936", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44582"], "package": "next", "rule_id": "GHSA-vfv6-92ff-j949", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44582|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3g8h-86w9-wvmq", "level": "note", "message": {"text": "next: GHSA-3g8h-86w9-wvmq"}, "properties": {"repobilityId": 107357, "scanner": "osv-scanner", "fingerprint": "2380783e269f4ae9365c3ee858eabcc2a6db51eea5d7b7d7543cb6479fa2c80d", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44572"], "package": "next", "rule_id": "GHSA-3g8h-86w9-wvmq", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44572|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-hm8q-7f3q-5f36", "level": "note", "message": {"text": "hono: GHSA-hm8q-7f3q-5f36"}, "properties": {"repobilityId": 107348, "scanner": "osv-scanner", "fingerprint": "e3ff26a2ec79c02f0e7545eeac47c5e6afbf9cc2f684b8460c5f2b194515ca00", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44459"], "package": "hono", "rule_id": "GHSA-hm8q-7f3q-5f36", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44459|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tailwind-merge` is minor version(s) behind (3.5.0 -> 3.6.0)"}, "properties": {"repobilityId": 107285, "scanner": "repobility-dependency-currency", "fingerprint": "70c17d9fab096ddee407c7cb0495d423d1bf2637b5773366ec5ace49946c411a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tailwind-merge", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.6.0", "correlation_key": "fp|70c17d9fab096ddee407c7cb0495d423d1bf2637b5773366ec5ace49946c411a", "current_version": "3.5.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `shadcn` is minor version(s) behind (4.1.2 -> 4.10.0)"}, "properties": {"repobilityId": 107284, "scanner": "repobility-dependency-currency", "fingerprint": "f7da834c8ec398647c89785ab977b5964788d62cb8b610e4c5d7b5e6b17ba53b", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "shadcn", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.10.0", "correlation_key": "fp|f7da834c8ec398647c89785ab977b5964788d62cb8b610e4c5d7b5e6b17ba53b", "current_version": "4.1.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `isomorphic-dompurify` is minor version(s) behind (3.9.0 -> 3.16.0)"}, "properties": {"repobilityId": 107281, "scanner": "repobility-dependency-currency", "fingerprint": "31fb185102032e2f627b3570a839cafaaf216ed089835d32b670c1120e9b5cc5", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "isomorphic-dompurify", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.16.0", "correlation_key": "fp|31fb185102032e2f627b3570a839cafaaf216ed089835d32b670c1120e9b5cc5", "current_version": "3.9.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `better-sqlite3` is minor version(s) behind (12.8.0 -> 12.10.0)"}, "properties": {"repobilityId": 107280, "scanner": "repobility-dependency-currency", "fingerprint": "47bc358ec8bcb1388cbb0b0da8af3e96c8c46685e316fae1afaf8adf8ad11950", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "better-sqlite3", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "12.10.0", "correlation_key": "fp|47bc358ec8bcb1388cbb0b0da8af3e96c8c46685e316fae1afaf8adf8ad11950", "current_version": "12.8.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@tabler/icons-react` is minor version(s) behind (3.41.1 -> 3.44.0)"}, "properties": {"repobilityId": 107279, "scanner": "repobility-dependency-currency", "fingerprint": "1c965cb7e6c2750db8e9bda276ccb5a053f23482f0e3df4492214a08177bf374", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@tabler/icons-react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.44.0", "correlation_key": "fp|1c965cb7e6c2750db8e9bda276ccb5a053f23482f0e3df4492214a08177bf374", "current_version": "3.41.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@base-ui/react` is minor version(s) behind (1.3.0 -> 1.5.0)"}, "properties": {"repobilityId": 107278, "scanner": "repobility-dependency-currency", "fingerprint": "beed973f935e136110dafe4db0139b72622edf1fafa86457296885c364f67c50", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@base-ui/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "1.5.0", "correlation_key": "fp|beed973f935e136110dafe4db0139b72622edf1fafa86457296885c364f67c50", "current_version": "1.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tsx` is minor version(s) behind (4.21.0 -> 4.22.4)"}, "properties": {"repobilityId": 107277, "scanner": "repobility-dependency-currency", "fingerprint": "4d07a561399f4ca63fe7668a0bf6a1d1cdddd6b8e826965c10460c0e450e6ba6", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tsx", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.22.4", "correlation_key": "fp|4d07a561399f4ca63fe7668a0bf6a1d1cdddd6b8e826965c10460c0e450e6ba6", "current_version": "4.21.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `ora` is minor version(s) behind (9.3.0 -> 9.4.0)"}, "properties": {"repobilityId": 107276, "scanner": "repobility-dependency-currency", "fingerprint": "7312811d68153418b864113c1ce81268231c21d3ce10d0c23c758c28800fc93e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "ora", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "9.4.0", "correlation_key": "fp|7312811d68153418b864113c1ce81268231c21d3ce10d0c23c758c28800fc93e", "current_version": "9.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@inquirer/prompts` is minor version(s) behind (8.4.0 -> 8.5.2)"}, "properties": {"repobilityId": 107274, "scanner": "repobility-dependency-currency", "fingerprint": "7d2e547598d3fd61f1843cc3a5e8bc6df8f57218897b6cf4794b222c822b8943", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@inquirer/prompts", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.5.2", "correlation_key": "fp|7d2e547598d3fd61f1843cc3a5e8bc6df8f57218897b6cf4794b222c822b8943", "current_version": "8.4.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107250, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58de97101ba92e957b5e7a77122e910a6c83c08fbedbed7eff6d3dd938dedb17", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/api/workflows/health/route.ts", "duplicate_line": 33, "correlation_key": "fp|58de97101ba92e957b5e7a77122e910a6c83c08fbedbed7eff6d3dd938dedb17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/cron-health.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107249, "scanner": "repobility-ai-code-hygiene", "fingerprint": "657a1fdf80132a83b2742d110d94243c64aff90c1ec4185240718ef091c2a01b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/(dashboard)/workflows/health/page.tsx", "duplicate_line": 22, "correlation_key": "fp|657a1fdf80132a83b2742d110d94243c64aff90c1ec4185240718ef091c2a01b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/cron-health.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107248, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ebc8a8e85e3f2a0046b984368debebd5935e5a15ef382c3dda7ef6962e53e4f9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/lib/actions/settings.ts", "duplicate_line": 256, "correlation_key": "fp|ebc8a8e85e3f2a0046b984368debebd5935e5a15ef382c3dda7ef6962e53e4f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/allowed-roots.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107247, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1b6bd0625758a3ae7f917bab4a4c3e66ff5352e99ce5cf19a937d3bbf30abbad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/api/workflows/health/route.ts", "duplicate_line": 26, "correlation_key": "fp|1b6bd0625758a3ae7f917bab4a4c3e66ff5352e99ce5cf19a937d3bbf30abbad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/types/index.ts"}, "region": {"startLine": 320}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107246, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7b536eb2d2c050eb30be0b650aafd752e51f8b6c1a08eeec2573efd6a367e7d4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/lib/ipc-client.ts", "duplicate_line": 89, "correlation_key": "fp|7b536eb2d2c050eb30be0b650aafd752e51f8b6c1a08eeec2573efd6a367e7d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/daemon/ipc-server.ts"}, "region": {"startLine": 631}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107245, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2149daacf7eab3b27d52e5586d8e4b9b80cce843a00112f1ac068b431f99d228", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/cli/add-agent.ts", "duplicate_line": 169, "correlation_key": "fp|2149daacf7eab3b27d52e5586d8e4b9b80cce843a00112f1ac068b431f99d228"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/init.ts"}, "region": {"startLine": 139}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107244, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d753efa96e2bc7a0bedea716d762e89f03045c7685e432fa5bcdb1f3d2c9ad55", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/api/workflows/crons/[agent]/executions/route.ts", "duplicate_line": 34, "correlation_key": "fp|d753efa96e2bc7a0bedea716d762e89f03045c7685e432fa5bcdb1f3d2c9ad55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/bus/crons.ts"}, "region": {"startLine": 171}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107243, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f759db51c3214d22b9e99de1760d8e6c9ccccae4951b486af75ce0f7863d153", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/lib/cron-utils.ts", "duplicate_line": 1, "correlation_key": "fp|3f759db51c3214d22b9e99de1760d8e6c9ccccae4951b486af75ce0f7863d153"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/bus/cron-state.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107242, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d776a92d3a12e3b647e7af11301e72214d619415f981c6c2dba04156b1b3d953", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/components/wiki/wiki-renderer.tsx", "duplicate_line": 63, "correlation_key": "fp|d776a92d3a12e3b647e7af11301e72214d619415f981c6c2dba04156b1b3d953"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/lib/render-markdown.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107241, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bdeeae9f819d26c7bb6821afd0bce25279836cb273909b26aa684cc000cdc961", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/api/workflows/health/route.ts", "duplicate_line": 27, "correlation_key": "fp|bdeeae9f819d26c7bb6821afd0bce25279836cb273909b26aa684cc000cdc961"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/lib/ipc-client.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107240, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0306793b0bef107a144abbdef3185ea04ad40e20782de42f432322030bf3be5b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/api/settings/telegram/route.ts", "duplicate_line": 13, "correlation_key": "fp|0306793b0bef107a144abbdef3185ea04ad40e20782de42f432322030bf3be5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/lib/actions/settings.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107239, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4901b109e47b08a734ae22d2f57042ac5b6b0fa5a172e4f5ee52c1533d3237ea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/api/approvals/[id]/route.ts", "duplicate_line": 82, "correlation_key": "fp|4901b109e47b08a734ae22d2f57042ac5b6b0fa5a172e4f5ee52c1533d3237ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/lib/actions/approvals.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107238, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cbdfb0025ea04fa5364a979ae481923438131e334ed48baf22a09c613adc46c4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/api/wiki/tree/route.ts", "duplicate_line": 7, "correlation_key": "fp|cbdfb0025ea04fa5364a979ae481923438131e334ed48baf22a09c613adc46c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/components/wiki/folder-tree.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107237, "scanner": "repobility-ai-code-hygiene", "fingerprint": "df2c864fae17182ee53e72f61a1392b4a891ea4d2a524b62791efcca65cb9ae1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/components/agents/memory-tab.tsx", "duplicate_line": 51, "correlation_key": "fp|df2c864fae17182ee53e72f61a1392b4a891ea4d2a524b62791efcca65cb9ae1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/components/agents/profile-form.tsx"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107236, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1ff2f5acfd054fdba3eab2df35d12b9c6a0e3130dbbbea9a1f9dfb3fd989f53", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/api/workflows/crons/route.ts", "duplicate_line": 36, "correlation_key": "fp|d1ff2f5acfd054fdba3eab2df35d12b9c6a0e3130dbbbea9a1f9dfb3fd989f53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/workflows/health/route.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107235, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a820ef75588eca650be1d3ef889948ad0428ba96a0997910ad67ca091ceda0b5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/api/workflows/crons/[agent]/[name]/executions/route.ts", "duplicate_line": 10, "correlation_key": "fp|a820ef75588eca650be1d3ef889948ad0428ba96a0997910ad67ca091ceda0b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/workflows/crons/[agent]/[name]/route.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107234, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d122df5ea5f81d4444103f8c151d97f1fea163a88a3da541fff741aa6da10f8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/api/events/stream/route.ts", "duplicate_line": 29, "correlation_key": "fp|9d122df5ea5f81d4444103f8c151d97f1fea163a88a3da541fff741aa6da10f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/messages/stream/[agent]/route.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107233, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70c4d9daf846af25861fc8dde7129eb51f9dc98020acb82221ad3337da2858b9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/api/kb/collections/route.ts", "duplicate_line": 13, "correlation_key": "fp|70c4d9daf846af25861fc8dde7129eb51f9dc98020acb82221ad3337da2858b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/kb/search/route.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107232, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0cf13e38d5aa3a4a9474407e6f8e7d169714811f8da1158dd5d9f5f905d71b66", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/(dashboard)/experiments/page.tsx", "duplicate_line": 49, "correlation_key": "fp|0cf13e38d5aa3a4a9474407e6f8e7d169714811f8da1158dd5d9f5f905d71b66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/experiments/route.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107231, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a7aa00aa42ed848324909efe2ee2d3dec2211ed2ab3c2eb7905ef6c6bb6c4393", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/api/comms/channels/route.ts", "duplicate_line": 49, "correlation_key": "fp|a7aa00aa42ed848324909efe2ee2d3dec2211ed2ab3c2eb7905ef6c6bb6c4393"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/comms/feed/route.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107230, "scanner": "repobility-ai-code-hygiene", "fingerprint": "12e2d2d4abbef1c5d4adc7f78734d1fc3ff539749af85ce3b6f74237fc273ee5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dashboard/src/app/api/comms/channel/[pair]/route.ts", "duplicate_line": 1, "correlation_key": "fp|12e2d2d4abbef1c5d4adc7f78734d1fc3ff539749af85ce3b6f74237fc273ee5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/comms/channels/route.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 107338, "scanner": "repobility-threat-engine", "fingerprint": "9180bbbc14a4c93a8b587b63aecc76eb831f9fd57705cce709413531bfe67f7f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9180bbbc14a4c93a8b587b63aecc76eb831f9fd57705cce709413531bfe67f7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/init.ts"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 107337, "scanner": "repobility-threat-engine", "fingerprint": "01e1cd33f18b59fd1717960b85bbbf2463a59a39a49b3997436102b12faae02b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|01e1cd33f18b59fd1717960b85bbbf2463a59a39a49b3997436102b12faae02b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/dashboard.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 107334, "scanner": "repobility-threat-engine", "fingerprint": "9202292591d6c88990ebb2f2f39f343757c772e580cb13a4665dafc4bb529b1d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9202292591d6c88990ebb2f2f39f343757c772e580cb13a4665dafc4bb529b1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/middleware.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 107327, "scanner": "repobility-threat-engine", "fingerprint": "e0995c5d759ff88bcff8b6d90248839e08aeba1c6433dc97116eee3b14f72187", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0995c5d759ff88bcff8b6d90248839e08aeba1c6433dc97116eee3b14f72187"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/update.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 107326, "scanner": "repobility-threat-engine", "fingerprint": "d3506bd03279f07fc6d776a8eb8ed0915281f5a1a032957e466383cbeed98b4d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d3506bd03279f07fc6d776a8eb8ed0915281f5a1a032957e466383cbeed98b4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/start.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 107325, "scanner": "repobility-threat-engine", "fingerprint": "f30cc6565e719a04986ee68884445a04e8de548e2e399b2baf1c980341872911", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f30cc6565e719a04986ee68884445a04e8de548e2e399b2baf1c980341872911"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/auth/mobile/route.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 107324, "scanner": "repobility-threat-engine", "fingerprint": "976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|976bb413e58f70f53fa6a891d8be3bb3844b6ff3fd9e04272cb46082ff0a16ea", "aggregated_count": 1}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 107323, "scanner": "repobility-threat-engine", "fingerprint": "badb1fead6ac6c18554f7180cb70ed2dc6e432c6108d9f31f1b5763f90822424", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|badb1fead6ac6c18554f7180cb70ed2dc6e432c6108d9f31f1b5763f90822424"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/start.ts"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 107322, "scanner": "repobility-threat-engine", "fingerprint": "48622c83a9f09338161fbdab0c6b93caa558b602438a9dd42719490e0f1c6606", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|48622c83a9f09338161fbdab0c6b93caa558b602438a9dd42719490e0f1c6606"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/enable-agent.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 107321, "scanner": "repobility-threat-engine", "fingerprint": "3e02563f352d6cba14156bcc3dc9181ca62c757aee997d849fb144a0dc7b1bcb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e02563f352d6cba14156bcc3dc9181ca62c757aee997d849fb144a0dc7b1bcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/agents/[name]/lifecycle/route.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 107320, "scanner": "repobility-threat-engine", "fingerprint": "7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7eac65c6d729ce731cf7f1b0d32d88551e2714b6a555982628995e228d42ee93", "aggregated_count": 3}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 107319, "scanner": "repobility-threat-engine", "fingerprint": "af8fcb1901b91dabc2bfed15f553ea2468559daaa022ad15ebe63177a8a71297", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af8fcb1901b91dabc2bfed15f553ea2468559daaa022ad15ebe63177a8a71297"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/comms/upload/route.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 107318, "scanner": "repobility-threat-engine", "fingerprint": "6285e6ad1c438bd014f765604e255b7c1b8fed45e331beff1e09a8c56a38a71b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6285e6ad1c438bd014f765604e255b7c1b8fed45e331beff1e09a8c56a38a71b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/comms/channels/route.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 107317, "scanner": "repobility-threat-engine", "fingerprint": "36e8ba21ff9098a08d943c2c85d89ce9b4886fd0063db42b0021bc5104b3f795", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|36e8ba21ff9098a08d943c2c85d89ce9b4886fd0063db42b0021bc5104b3f795"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/analytics/page.tsx"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 107316, "scanner": "repobility-threat-engine", "fingerprint": "bbcb733a3fba112627e4b7e830cefd1595cf5645df4ccaa9a211a5c5e0592cd4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bbcb733a3fba112627e4b7e830cefd1595cf5645df4ccaa9a211a5c5e0592cd4", "aggregated_count": 6}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 107315, "scanner": "repobility-threat-engine", "fingerprint": "7528b03a02cfe7e6ec6421a7d02495d3938f356f8bf2b7894f971bef1c2ec23c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7528b03a02cfe7e6ec6421a7d02495d3938f356f8bf2b7894f971bef1c2ec23c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/approvals/page.tsx"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 107314, "scanner": "repobility-threat-engine", "fingerprint": "b990ab0d8dcf9b819c4c9cdef099bee8c68c24c35399c30b37643f8c3ea423de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b990ab0d8dcf9b819c4c9cdef099bee8c68c24c35399c30b37643f8c3ea423de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/agents/loading.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 107313, "scanner": "repobility-threat-engine", "fingerprint": "f01cab3156e043641c1144118130fdda5d475634480286088f913c52fb961934", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f01cab3156e043641c1144118130fdda5d475634480286088f913c52fb961934"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/activity/loading.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 61 more): Same pattern found in 61 additional files. Review if needed."}, "properties": {"repobilityId": 107311, "scanner": "repobility-threat-engine", "fingerprint": "9601d4a28dbac7d9bbc29530ed28eb7223e9b47070a3e8fae8b4bb1dda9b8148", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 61 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9601d4a28dbac7d9bbc29530ed28eb7223e9b47070a3e8fae8b4bb1dda9b8148", "aggregated_count": 61}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 107310, "scanner": "repobility-threat-engine", "fingerprint": "c028d4808a0dc03097eb5db0f753a38c775ec618686c1a799f720c23f649bcf3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c028d4808a0dc03097eb5db0f753a38c775ec618686c1a799f720c23f649bcf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/agents/error.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 107309, "scanner": "repobility-threat-engine", "fingerprint": "063de40c5181fd9b0eae641db7652ca3f32486ed9f9ff71b3ab7656f1d9923cb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|063de40c5181fd9b0eae641db7652ca3f32486ed9f9ff71b3ab7656f1d9923cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(dashboard)/activity/error.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 107308, "scanner": "repobility-threat-engine", "fingerprint": "4ebc5fc73dbe9c75c3fbe9560d471ebd7fdf41964ce39acbf05e5657a28bfe8f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4ebc5fc73dbe9c75c3fbe9560d471ebd7fdf41964ce39acbf05e5657a28bfe8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(auth)/login/page.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 107307, "scanner": "repobility-threat-engine", "fingerprint": "649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 107303, "scanner": "repobility-threat-engine", "fingerprint": "98e6262e3b075184faf052c60b50f67bcbe7a59c78a00cb653069b8af654317c", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|98e6262e3b075184faf052c60b50f67bcbe7a59c78a00cb653069b8af654317c"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 107302, "scanner": "repobility-threat-engine", "fingerprint": "473fcef61e96614c3429de4e903e3b430697df15b011ec622c58c2a258dafd0e", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.log('\\n  AUTH_SECRET not set \u2014 generating one automatically.')", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|src/cli/dashboard.ts|5|console.log n auth_secret not set generating one automatically."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/dashboard.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 107301, "scanner": "repobility-threat-engine", "fingerprint": "7b1b82d11a9b9d1ad54b1bc2642d54d830e012c4633b60373e7b8077c96f9daa", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error('[messages/stream] AUTH_SECRET not set \u2014 refusing SSE connection')", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token / agent /route.ts|2|console.error messages/stream auth_secret not set refusing sse connection"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/messages/stream/[agent]/route.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 107300, "scanner": "repobility-threat-engine", "fingerprint": "b146d4989ec29e2ea903f837e4c084908fe0a6fd4c93e4f3d5b7708e5fb62476", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('[login] /api/auth/csrf returned no token', data)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|dashboard/src/app/ auth /login/page.tsx|5|console.error login /api/auth/csrf returned no token data"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(auth)/login/page.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `marked` is patch version(s) behind (18.0.0 -> 18.0.5)"}, "properties": {"repobilityId": 107283, "scanner": "repobility-dependency-currency", "fingerprint": "14d7bf447ccf9c6201db96061899696c72e89738bd8b56847a4e3e9cb909722c", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "marked", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "18.0.5", "correlation_key": "fp|14d7bf447ccf9c6201db96061899696c72e89738bd8b56847a4e3e9cb909722c", "current_version": "18.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `jose` is patch version(s) behind (6.2.2 -> 6.2.3)"}, "properties": {"repobilityId": 107282, "scanner": "repobility-dependency-currency", "fingerprint": "1da21cbccddd4e42543965216e88bb55a2bd1393f055de82712823edbdc3ede3", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jose", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.2.3", "correlation_key": "fp|1da21cbccddd4e42543965216e88bb55a2bd1393f055de82712823edbdc3ede3", "current_version": "6.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 107408, "scanner": "repobility-journey-contract", "fingerprint": "accd0ec26bc7301c9a2fbf7cebec1270e2846e0dea6f87bbcda6172b23268bb8", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|117|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/components/settings/users-tab.tsx"}, "region": {"startLine": 117}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /approvals/:id/route."}, "properties": {"repobilityId": 107377, "scanner": "repobility-access-control", "fingerprint": "97ba7958ecd24c126357821ce528b8ce6e1f9138a0bf73fba128a1f62f7cac94", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/approvals/:id/route", "method": "PATCH", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / id /route.ts|52|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/approvals/[id]/route.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /approvals/:id/route."}, "properties": {"repobilityId": 107376, "scanner": "repobility-access-control", "fingerprint": "e8db21d9234fad0f738b2784b6f688c35d0448b01b053353d596ec5c6ad43dcd", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/approvals/:id/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token / id /route.ts|21|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/approvals/[id]/route.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /tasks/:id/route."}, "properties": {"repobilityId": 107375, "scanner": "repobility-access-control", "fingerprint": "ac0079c7fb155b577d56f5e0af4b151526f7ea1e4e5fe306b61508167255ed09", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/tasks/:id/route", "method": "PATCH", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|dashboard/src/app/api/tasks/ id /route.ts|213|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/tasks/[id]/route.ts"}, "region": {"startLine": 213}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /tasks/:id/route."}, "properties": {"repobilityId": 107374, "scanner": "repobility-access-control", "fingerprint": "195eb51e6a945dfe292a3b119de69475b5c55e0cf9d77177e302097145e84545", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/tasks/:id/route", "method": "PUT", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|dashboard/src/app/api/tasks/ id /route.ts|116|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/tasks/[id]/route.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /tasks/:id/route."}, "properties": {"repobilityId": 107373, "scanner": "repobility-access-control", "fingerprint": "82f87fd293aa8c92b26acf2b692302e453c019f5cb95eff760f1eeada5b9cfb8", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/tasks/:id/route", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|dashboard/src/app/api/tasks/ id /route.ts|78|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/tasks/[id]/route.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /tasks/:id/route."}, "properties": {"repobilityId": 107372, "scanner": "repobility-access-control", "fingerprint": "0358c851567d75c5ed5ac43db3a27d045dd49f67424e4be070c48e42dc7db36c", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/tasks/:id/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|dashboard/src/app/api/tasks/ id /route.ts|41|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/tasks/[id]/route.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "GHSA-mg66-mrh9-m8jx", "level": "error", "message": {"text": "next: GHSA-mg66-mrh9-m8jx"}, "properties": {"repobilityId": 107364, "scanner": "osv-scanner", "fingerprint": "42ca2f521273048a97479b6d7182a3afc713d0349c6a7cc286b84619c70407fd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44579"], "package": "next", "rule_id": "GHSA-mg66-mrh9-m8jx", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44579|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c4j6-fc7j-m34r", "level": "error", "message": {"text": "next: GHSA-c4j6-fc7j-m34r"}, "properties": {"repobilityId": 107360, "scanner": "osv-scanner", "fingerprint": "b5dbfe8dc68cb22e7bbe6070bf4bfd1704f23aa29617759191301a460d2b0664", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44578"], "package": "next", "rule_id": "GHSA-c4j6-fc7j-m34r", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44578|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8h8q-6873-q5fj", "level": "error", "message": {"text": "next: GHSA-8h8q-6873-q5fj"}, "properties": {"repobilityId": 107359, "scanner": "osv-scanner", "fingerprint": "2f69be0e2797dfd5a534716c1547615092c1304d01033302e0af0431a3d53f07", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "next", "rule_id": "GHSA-8h8q-6873-q5fj", "scanner": "osv-scanner", "correlation_key": "vuln|next|GHSA-8H8Q-6873-Q5FJ|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-492v-c6pp-mqqv", "level": "error", "message": {"text": "next: GHSA-492v-c6pp-mqqv"}, "properties": {"repobilityId": 107358, "scanner": "osv-scanner", "fingerprint": "024102664dc655a50e522404652b2ea77b40dfc0fbe45e7e64400d74e8e0c14e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44574"], "package": "next", "rule_id": "GHSA-492v-c6pp-mqqv", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44574|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-36qx-fr4f-26g5", "level": "error", "message": {"text": "next: GHSA-36qx-fr4f-26g5"}, "properties": {"repobilityId": 107356, "scanner": "osv-scanner", "fingerprint": "2dead5613dcd3aa42a8f0bb41374f7bc90a3245d4ff1a84fec993074fa4a26af", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44573"], "package": "next", "rule_id": "GHSA-36qx-fr4f-26g5", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44573|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-26hh-7cqf-hhc6", "level": "error", "message": {"text": "next: GHSA-26hh-7cqf-hhc6"}, "properties": {"repobilityId": 107355, "scanner": "osv-scanner", "fingerprint": "b9c66ab52b2971667db28209b01f00333866beaa641365fce162a57d5aa0db82", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45109"], "package": "next", "rule_id": "GHSA-26hh-7cqf-hhc6", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-45109|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-267c-6grr-h53f", "level": "error", "message": {"text": "next: GHSA-267c-6grr-h53f"}, "properties": {"repobilityId": 107354, "scanner": "osv-scanner", "fingerprint": "5f2b78f00d1742b563a9956c58b0c06c59a40c8e49d0fe95d312fb8fadf9dc39", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44575"], "package": "next", "rule_id": "GHSA-267c-6grr-h53f", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44575|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-6v9c-7cg6-27q7", "level": "error", "message": {"text": "marked: GHSA-6v9c-7cg6-27q7"}, "properties": {"repobilityId": 107353, "scanner": "osv-scanner", "fingerprint": "6c7cc3bc114774116e0943d6963cc76d8d0d1c93e6e84d446ccd791e675c4fb8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41680"], "package": "marked", "rule_id": "GHSA-6v9c-7cg6-27q7", "scanner": "osv-scanner", "correlation_key": "vuln|marked|CVE-2026-41680|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 107342, "scanner": "osv-scanner", "fingerprint": "a1580ba7633e2b2e853c1f2b8a2188093c712491ce85c8ec81e240ea46b5a78c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 107341, "scanner": "osv-scanner", "fingerprint": "98f96ad985b535d08422b03160cfcc146a5c61a7f515cb7cffddef9829f5a2d8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|dashboard/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 107336, "scanner": "repobility-threat-engine", "fingerprint": "720d23de66f96966deb1ebd8d7c89b9ad1e61ebf7e8fc59213dcc49d12d1b4fc", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `${k}=${v}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|720d23de66f96966deb1ebd8d7c89b9ad1e61ebf7e8fc59213dcc49d12d1b4fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/dashboard.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 107335, "scanner": "repobility-threat-engine", "fingerprint": "d9a09062a6d286ecd9231ce1e26b8f4c50923d156ad2e9453034b260e06fb0ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d9a09062a6d286ecd9231ce1e26b8f4c50923d156ad2e9453034b260e06fb0ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/bus/cron-state.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 107333, "scanner": "repobility-threat-engine", "fingerprint": "0860454fb32d71e650479805aae6cd3b4a1bcb2c00eb4992d1fec6f964f4e0eb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(interval", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0860454fb32d71e650479805aae6cd3b4a1bcb2c00eb4992d1fec6f964f4e0eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/bus/cron-state.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 107332, "scanner": "repobility-threat-engine", "fingerprint": "1f1efcffa8da320656adb84204c8336f661c3665361c35db33444a8a29c0d0f8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1f1efcffa8da320656adb84204c8336f661c3665361c35db33444a8a29c0d0f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/components/wiki/wiki-renderer.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 107329, "scanner": "repobility-threat-engine", "fingerprint": "d1fbf90df5cc053a772f0d211dcd15983e0f1c1398b087fc47693f343fefcafc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.send(message);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d1fbf90df5cc053a772f0d211dcd15983e0f1c1398b087fc47693f343fefcafc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/ws-unix-client.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 107328, "scanner": "repobility-threat-engine", "fingerprint": "284f86998d0ca128f0afb1be883adbfe65a58f27351eae478a2b3263e74dec53", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "params.delete('org');", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|284f86998d0ca128f0afb1be883adbfe65a58f27351eae478a2b3263e74dec53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/components/layout/org-selector.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 107306, "scanner": "repobility-threat-engine", "fingerprint": "e728723ade761caac63d88775537ac7207953b93a9da62196bed4b1c9c6551f8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e728723ade761caac63d88775537ac7207953b93a9da62196bed4b1c9c6551f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/messages/stream/[agent]/route.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 107305, "scanner": "repobility-threat-engine", "fingerprint": "24704c8053060724d90acd9cbda8a686a289be31569f8f009326e3e704bbce9c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|24704c8053060724d90acd9cbda8a686a289be31569f8f009326e3e704bbce9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/api/analytics/overview/route.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 107304, "scanner": "repobility-threat-engine", "fingerprint": "6bb082b644e08673af9f4d45c6a0490917296bfab1547c9f6409678e604b4450", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6bb082b644e08673af9f4d45c6a0490917296bfab1547c9f6409678e604b4450"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/app/(auth)/login/page.tsx"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 107299, "scanner": "repobility-threat-engine", "fingerprint": "0c2d33a9a83270eff9c16ecaf92d123ace8defef04ba74d6205321a48f7a7f64", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0c2d33a9a83270eff9c16ecaf92d123ace8defef04ba74d6205321a48f7a7f64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/ws-unix-client.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 107298, "scanner": "repobility-threat-engine", "fingerprint": "284a28d7b4dfa38486d84f46deeb444cdf654231af8f5f2e2854020c4a3c7798", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|284a28d7b4dfa38486d84f46deeb444cdf654231af8f5f2e2854020c4a3c7798"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pty/inject.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 107297, "scanner": "repobility-threat-engine", "fingerprint": "eae6e23f978742bdfe79a0a6bce6436a07ff7b5df0bb41d19feb031e23676754", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eae6e23f978742bdfe79a0a6bce6436a07ff7b5df0bb41d19feb031e23676754"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "community/agents/agentic-crm-assistant/crm/add-followup.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "AGT003", "level": "error", "message": {"text": "User-editable role instructions are inserted into the system prompt"}, "properties": {"repobilityId": 107296, "scanner": "repobility-agent-runtime", "fingerprint": "6394dcdb6060793ba642fb2a678b085276b1eb97eb28c70ef7e450d2cd740251", "category": "llm_injection", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to combine a user-editable role/fleet instruction with system prompt construction without visible bounds or sanitizer.", "evidence": {"rule_id": "AGT003", "scanner": "repobility-agent-runtime", "data_flow": "user_editable_role_to_system_prompt", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|6394dcdb6060793ba642fb2a678b085276b1eb97eb28c70ef7e450d2cd740251"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/types/index.ts"}, "region": {"startLine": 640}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_fail_fast_nontransient"}, "properties": {"repobilityId": 107269, "scanner": "repobility-ast-engine", "fingerprint": "ce452b6d118715678859d6673b8b6891c0bbca5bcc595f4e95b1c1bf76a706d2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce452b6d118715678859d6673b8b6891c0bbca5bcc595f4e95b1c1bf76a706d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/_test_clients/test_retry.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_all_exhausted"}, "properties": {"repobilityId": 107268, "scanner": "repobility-ast-engine", "fingerprint": "7486a5e83bb94b9348bf257f261edcb9565efdb07047d9235ab15be359ec0e13", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7486a5e83bb94b9348bf257f261edcb9565efdb07047d9235ab15be359ec0e13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/_test_clients/test_retry.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "Phantom test coverage: test_transient_then_success"}, "properties": {"repobilityId": 107267, "scanner": "repobility-ast-engine", "fingerprint": "1b7825188341f79a2396ad85f013eb8077a82e159f248ce9fbe8197fa4340ff7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1b7825188341f79a2396ad85f013eb8077a82e159f248ce9fbe8197fa4340ff7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/_test_clients/test_retry.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cost` used but never assigned in __init__"}, "properties": {"repobilityId": 107252, "scanner": "repobility-ast-engine", "fingerprint": "a3fcbe32cb304a42421050723ee78b6ccf081281884efc55ade43e7c3ab580c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a3fcbe32cb304a42421050723ee78b6ccf081281884efc55ade43e7c3ab580c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.cost` used but never assigned in __init__"}, "properties": {"repobilityId": 107251, "scanner": "repobility-ast-engine", "fingerprint": "65568564464f81ff4488a530a95ca17648a891abf7d3901287f1978bda0b2f97", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|65568564464f81ff4488a530a95ca17648a891abf7d3901287f1978bda0b2f97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "knowledge-base/scripts/mmrag.py"}, "region": {"startLine": 124}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 107392, "scanner": "repobility-journey-contract", "fingerprint": "1f927438c569e38c94026d0d1a951003e7e18030161c26e239cc9b04044aff14", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|dashboard/src/middleware.ts|79|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/middleware.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 107339, "scanner": "gitleaks", "fingerprint": "2983d83163203cefe290e1b9a277af7e9465090a2228f0626f7a2af81ed48a99", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED'", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|token|1|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/unit/pty/output-buffer.test.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CI_ADMIN_PASSWORD` on a `pull_request` trigger"}, "properties": {"repobilityId": 107273, "scanner": "repobility-supply-chain", "fingerprint": "e10d908595b401e62d73933c4def5eb743ac36c71639f4e851e6c58257f94e96", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e10d908595b401e62d73933c4def5eb743ac36c71639f4e851e6c58257f94e96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CI_AUTH_SECRET` on a `pull_request` trigger"}, "properties": {"repobilityId": 107272, "scanner": "repobility-supply-chain", "fingerprint": "9e6e945d3d216e4729cb3064a05aa9dc74b0407558eb3e9aeba4daac49a78d6c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9e6e945d3d216e4729cb3064a05aa9dc74b0407558eb3e9aeba4daac49a78d6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 73}}}]}]}]}