Skip to content

Update review state with latest findings and issue tracking #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
BodenMcHale wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update review state with latest findings and issue tracking #30

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 32 additions & 7 deletions .claude/review-state.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"last_run": "2026-05-26T00:55:00Z",
"last_commit": "5083c52b64190381eadbb9f0c13b42e52c358a5a",
"last_run": "2026-05-26T06:10:00Z",
"last_commit": "81f8735d167b597ed7a7a88cc7f89ba0b440b07d",
"filed": [
{
"issue": 8,
Expand All @@ -14,31 +14,44 @@
"evidence_quality": 10
},
"timestamp": "2026-05-26T00:55:00Z"
},
{
"issue": 20,
"title": "[REVIEW] CSP: Content-Security-Policy-Report-Only is invisible to the analyzer — report-only deployments score 0/30 as if no CSP exists",
"finding": "checkCSP in src/rules.ts:42 only queries 'content-security-policy', never 'content-security-policy-report-only'; sites in the standard report-only rollout phase score 0/30 with status 'missing' and a misleading recommendation to 'add a CSP' even though one is already deployed.",
"score": 6.75,
"score_breakdown": {
"user_impact": 7,
"security_severity": 5,
"implementation_effort": 8,
"evidence_quality": 9
},
"timestamp": "2026-05-26T06:10:00Z"
}
],
"runner_ups": [
{
"finding": "CSP wildcard regex /(?:default-src|script-src)\\s+\\*/i only matches when '*' is the first source token; 'default-src 'self' *' is not flagged.",
"score": 6.1,
"reason_not_filed": "lower score; subsumed by broader CSP-evaluator-style follow-up to #5",
"reason_not_filed": "lower score; now covered by open issue #16",
"timestamp": "2026-05-26T00:55:00Z"
},
{
"finding": "checkCSP does not recognize Content-Security-Policy-Report-Only header; report-only deployments are treated as if no CSP exists.",
"score": 5.9,
"reason_not_filed": "lower score; needs design discussion on whether report-only should count for points",
"reason_not_filed": "previously runner-up; filed this run as issue #20 with refined scoring",
"timestamp": "2026-05-26T00:55:00Z"
},
{
"finding": "HSTS check awards full credit (preload bonus) when 'preload' directive is present even if max-age < 63072000 (2 years), which is the minimum the actual hstspreload.org submission requires.",
"score": 5.4,
"reason_not_filed": "lower score; smaller real-world consequence (sites are not auto-added to the preload list by the header alone)",
"reason_not_filed": "lower score; addressed in part by open issue #17",
"timestamp": "2026-05-26T00:55:00Z"
},
{
"finding": "Referrer-Policy classifies 'no-referrer-when-downgrade' as a strong value (score 10), but it is the historical default and is widely considered weak for cross-origin URL leakage.",
"score": 4.2,
"reason_not_filed": "lower score; borderline classification call rather than a clear bug",
"reason_not_filed": "now covered by open issue #18",
"timestamp": "2026-05-26T00:55:00Z"
},
{
Expand All @@ -50,8 +63,20 @@
{
"finding": "checkCSP does not flag missing base-uri directive, leaving <base> injection silently bypassing script-src 'self'.",
"score": 7.9,
"reason_not_filed": "duplicate of open issue #5",
"reason_not_filed": "previously duplicate of open issue #5; #5 now closed",
"timestamp": "2026-05-26T00:55:00Z"
},
{
"finding": "Permissions-Policy tests in test/analyzer.test.ts (lines 276-293 and 341-355) assert old permissive scoring behavior, conflicting with the strict scoring added in commit 8d29a8c; 4 tests fail on HEAD — CI is broken.",
"score": 8.45,
"reason_not_filed": "duplicate of open issue #15 (filed by a different review run earlier today)",
"timestamp": "2026-05-26T06:10:00Z"
},
{
"finding": "getVersion() in src/cli.ts:20-26 uses require('../package.json') in an ESM module (package.json type:module); require throws ReferenceError in ESM, catch returns '0.0.0'; --version and --help always display version 0.0.0.",
"score": 5.65,
"reason_not_filed": "lower score than CSP-Report-Only; DX bug but not a security or correctness issue in header analysis",
"timestamp": "2026-05-26T06:10:00Z"
}
],
"clean_areas": [
Expand Down