From eb72dd5889c91543a3752d58a4aaf1dacbda9e09 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 26 May 2026 06:15:59 +0000
Subject: [PATCH] chore: review state update 2026-05-26 (issue #20)

---
 .claude/review-state.json | 39 ++++++++++++++++++++++++++++++++-------
 1 file changed, 32 insertions(+), 7 deletions(-)

diff --git a/.claude/review-state.json b/.claude/review-state.json
index b21a0b9..42ad91a 100644
--- a/.claude/review-state.json
+++ b/.claude/review-state.json
@@ -1,6 +1,6 @@
 {
-  "last_run": "2026-05-26T00:55:00Z",
-  "last_commit": "5083c52b64190381eadbb9f0c13b42e52c358a5a",
+  "last_run": "2026-05-26T06:10:00Z",
+  "last_commit": "81f8735d167b597ed7a7a88cc7f89ba0b440b07d",
   "filed": [
     {
       "issue": 8,
@@ -14,31 +14,44 @@
         "evidence_quality": 10
       },
       "timestamp": "2026-05-26T00:55:00Z"
+    },
+    {
+      "issue": 20,
+      "title": "[REVIEW] CSP: Content-Security-Policy-Report-Only is invisible to the analyzer — report-only deployments score 0/30 as if no CSP exists",
+      "finding": "checkCSP in src/rules.ts:42 only queries 'content-security-policy', never 'content-security-policy-report-only'; sites in the standard report-only rollout phase score 0/30 with status 'missing' and a misleading recommendation to 'add a CSP' even though one is already deployed.",
+      "score": 6.75,
+      "score_breakdown": {
+        "user_impact": 7,
+        "security_severity": 5,
+        "implementation_effort": 8,
+        "evidence_quality": 9
+      },
+      "timestamp": "2026-05-26T06:10:00Z"
     }
   ],
   "runner_ups": [
     {
       "finding": "CSP wildcard regex /(?:default-src|script-src)\\s+\\*/i only matches when '*' is the first source token; 'default-src 'self' *' is not flagged.",
       "score": 6.1,
-      "reason_not_filed": "lower score; subsumed by broader CSP-evaluator-style follow-up to #5",
+      "reason_not_filed": "lower score; now covered by open issue #16",
       "timestamp": "2026-05-26T00:55:00Z"
     },
     {
       "finding": "checkCSP does not recognize Content-Security-Policy-Report-Only header; report-only deployments are treated as if no CSP exists.",
       "score": 5.9,
-      "reason_not_filed": "lower score; needs design discussion on whether report-only should count for points",
+      "reason_not_filed": "previously runner-up; filed this run as issue #20 with refined scoring",
       "timestamp": "2026-05-26T00:55:00Z"
     },
     {
       "finding": "HSTS check awards full credit (preload bonus) when 'preload' directive is present even if max-age < 63072000 (2 years), which is the minimum the actual hstspreload.org submission requires.",
       "score": 5.4,
-      "reason_not_filed": "lower score; smaller real-world consequence (sites are not auto-added to the preload list by the header alone)",
+      "reason_not_filed": "lower score; addressed in part by open issue #17",
       "timestamp": "2026-05-26T00:55:00Z"
     },
     {
       "finding": "Referrer-Policy classifies 'no-referrer-when-downgrade' as a strong value (score 10), but it is the historical default and is widely considered weak for cross-origin URL leakage.",
       "score": 4.2,
-      "reason_not_filed": "lower score; borderline classification call rather than a clear bug",
+      "reason_not_filed": "now covered by open issue #18",
       "timestamp": "2026-05-26T00:55:00Z"
     },
     {
@@ -50,8 +63,20 @@
     {
       "finding": "checkCSP does not flag missing base-uri directive, leaving <base> injection silently bypassing script-src 'self'.",
       "score": 7.9,
-      "reason_not_filed": "duplicate of open issue #5",
+      "reason_not_filed": "previously duplicate of open issue #5; #5 now closed",
       "timestamp": "2026-05-26T00:55:00Z"
+    },
+    {
+      "finding": "Permissions-Policy tests in test/analyzer.test.ts (lines 276-293 and 341-355) assert old permissive scoring behavior, conflicting with the strict scoring added in commit 8d29a8c; 4 tests fail on HEAD — CI is broken.",
+      "score": 8.45,
+      "reason_not_filed": "duplicate of open issue #15 (filed by a different review run earlier today)",
+      "timestamp": "2026-05-26T06:10:00Z"
+    },
+    {
+      "finding": "getVersion() in src/cli.ts:20-26 uses require('../package.json') in an ESM module (package.json type:module); require throws ReferenceError in ESM, catch returns '0.0.0'; --version and --help always display version 0.0.0.",
+      "score": 5.65,
+      "reason_not_filed": "lower score than CSP-Report-Only; DX bug but not a security or correctness issue in header analysis",
+      "timestamp": "2026-05-26T06:10:00Z"
     }
   ],
   "clean_areas": [