Verified the AI analysis end-to-end with a real provider and fixed two gaps
found during the live run.
Findings & fixes:
- gpt-5 series (Replit AI Integrations modelfarm default) rejected the hardcoded
`temperature: 0.1` with HTTP 400, silently disabling AI analysis. Removed the
temperature param from the OpenAI-compatible request for broad model
compatibility (aiAnalysis.ts).
- Per-rule AI config (enable/disable/severity) was only a global on/off gate and
AI findings weren't mapped to the AI rule IDs, so individual rule severity was
ignored. runAiAnalysis now receives the enabled AI rules, instructs the model
to classify each finding into one of those ruleIds, drops findings for
disabled rules, and overrides severity/axis with the configured values
(aiAnalysis.ts + scanEngine.ts).
End-to-end verification (Replit OpenAI integration, gpt-5-mini provider):
- "KI-Analyse aktivieren" produces AI findings mapped to AI-PROMPT-INJECTION,
AI-MALICIOUS-INTENT, AI-DATA-PRIVACY.
- Disabling AI-MALICIOUS-INTENT removed its finding; setting AI-PROMPT-INJECTION
to critical was reflected in the result.
- Wrong baseUrl and invalid token (real OpenAI endpoint) produce understandable
aiError messages with no token leak.
Side effects / notes:
- Set up the Replit OpenAI AI Integration (env vars) and created one enabled
provider row ("Replit OpenAI") so AI analysis works out of the box. Each
AI-enabled scan bills the user's Replit credits.
- Test scans created during verification were deleted.
- artifacts/api-server typecheck passes.
Replit-Task-Id: 7321caa4-5079-4db7-8ed2-4ccaa74fa577
