HailBytes · BodenMcHale · May 26, 2026
diff --git a/.claude/review-state.json b/.claude/review-state.json
@@ -1,6 +1,6 @@
 {
-  "last_run": "2026-05-26T00:55:00Z",
-  "last_commit": "5083c52b64190381eadbb9f0c13b42e52c358a5a",
+  "last_run": "2026-05-26T05:00:00Z",
+  "last_commit": "81f8735d167b597ed7a7a88cc7f89ba0b440b07d",
   "filed": [
     {
       "issue": 8,
@@ -14,20 +14,45 @@
         "evidence_quality": 10
       },
       "timestamp": "2026-05-26T00:55:00Z"
+    },
+    {
+      "issue": 19,
+      "title": "[REVIEW] CSP: missing `form-action` directive not flagged — `default-src 'self'` leaves form submissions unrestricted",
+      "finding": "checkCSP in src/rules.ts:41-71 never checks whether form-action is present. form-action does not fall back to default-src (same class of bug as closed #5 for base-uri). A policy of default-src 'self' awards 20/30 'good' with zero findings about form-action, leaving form submissions completely unrestricted.",
+      "score": 8.1,
+      "score_breakdown": {
+        "user_impact": 8,
+        "security_severity": 7,
+        "implementation_effort": 9,
+        "evidence_quality": 10
+      },
+      "timestamp": "2026-05-26T05:00:00Z"
     }
   ],
   "runner_ups": [
     {
       "finding": "CSP wildcard regex /(?:default-src|script-src)\\s+\\*/i only matches when '*' is the first source token; 'default-src 'self' *' is not flagged.",
       "score": 6.1,
-      "reason_not_filed": "lower score; subsumed by broader CSP-evaluator-style follow-up to #5",
+      "reason_not_filed": "lower score; now covered by open issue #16",
       "timestamp": "2026-05-26T00:55:00Z"
     },
     {
       "finding": "checkCSP does not recognize Content-Security-Policy-Report-Only header; report-only deployments are treated as if no CSP exists.",
-      "score": 5.9,
+      "score": 6.05,
       "reason_not_filed": "lower score; needs design discussion on whether report-only should count for points",
-      "timestamp": "2026-05-26T00:55:00Z"
+      "timestamp": "2026-05-26T05:00:00Z"
+    },
+    {
+      "finding": "checkCSP maxScore is 30 but the function can only award up to 20 points (starts at 20, only deductions). Developers see score: 20, maxScore: 30 for a perfect CSP with no way to earn the remaining 10 points.",
+      "score": 6.9,
+      "reason_not_filed": "lower score than filed finding; relates to future bonus-point criteria not yet implemented",
+      "timestamp": "2026-05-26T05:00:00Z"
+    },
+    {
+      "finding": "X-Frame-Options ALLOW-FROM value gets 8/15 and 'warning' status, but ALLOW-FROM is deprecated and ignored by all modern browsers — the tool implies partial protection where none exists.",
+      "score": 6.75,
+      "reason_not_filed": "lower score than filed finding",
+      "timestamp": "2026-05-26T05:00:00Z"
     },
     {
       "finding": "HSTS check awards full credit (preload bonus) when 'preload' directive is present even if max-age < 63072000 (2 years), which is the minimum the actual hstspreload.org submission requires.",
@@ -38,7 +63,7 @@
     {
       "finding": "Referrer-Policy classifies 'no-referrer-when-downgrade' as a strong value (score 10), but it is the historical default and is widely considered weak for cross-origin URL leakage.",
       "score": 4.2,
-      "reason_not_filed": "lower score; borderline classification call rather than a clear bug",
+      "reason_not_filed": "now filed as open issue #18",
       "timestamp": "2026-05-26T00:55:00Z"
     },
     {
@@ -50,7 +75,7 @@
     {
       "finding": "checkCSP does not flag missing base-uri directive, leaving <base> injection silently bypassing script-src 'self'.",
       "score": 7.9,
-      "reason_not_filed": "duplicate of open issue #5",
+      "reason_not_filed": "resolved — closed as issue #5",
       "timestamp": "2026-05-26T00:55:00Z"
     }
   ],
@@ -59,6 +84,7 @@
     "tsconfig.json strict mode is enabled",
     "CI workflows (ci.yml, publish.yml, auto-tag.yml) are sound",
     "X-Content-Type-Options check (rules.ts:93-104) — values correctly validated",
-    "X-Frame-Options check (rules.ts:73-91) — accepts DENY/SAMEORIGIN and CSP frame-ancestors fallback as expected"
+    "X-Frame-Options check (rules.ts:73-91) — accepts DENY/SAMEORIGIN and CSP frame-ancestors fallback as expected",
+    "PRs #9 and #10 (commits 8133c48, 5236522) — only changed .claude state files, no source changes"
   ]
 }