diff --git a/.claude/review-state.json b/.claude/review-state.json index b21a0b9..b2203e1 100644 --- a/.claude/review-state.json +++ b/.claude/review-state.json @@ -1,6 +1,6 @@ { - "last_run": "2026-05-26T00:55:00Z", - "last_commit": "5083c52b64190381eadbb9f0c13b42e52c358a5a", + "last_run": "2026-05-26T08:12:00Z", + "last_commit": "81f8735d167b597ed7a7a88cc7f89ba0b440b07d", "filed": [ { "issue": 8, @@ -14,19 +14,32 @@ "evidence_quality": 10 }, "timestamp": "2026-05-26T00:55:00Z" + }, + { + "issue": 21, + "title": "[REVIEW] CSP: `'unsafe-inline'` penalized even when `'strict-dynamic'` + nonce is present — false positive flags a recommended strict CSP pattern", + "finding": "checkCSP in src/rules.ts:53-57 unconditionally deducts 5 points for 'unsafe-inline', even when 'strict-dynamic' + nonce is also present — a recommended backwards-compat pattern that is safely ignored by CSP3 browsers. Developer receives wrong advice to 'use nonces or hashes instead' when they already do.", + "score": 7.10, + "score_breakdown": { + "user_impact": 7, + "security_severity": 6, + "implementation_effort": 8, + "evidence_quality": 9 + }, + "timestamp": "2026-05-26T08:12:00Z" } ], "runner_ups": [ { "finding": "CSP wildcard regex /(?:default-src|script-src)\\s+\\*/i only matches when '*' is the first source token; 'default-src 'self' *' is not flagged.", "score": 6.1, - "reason_not_filed": "lower score; subsumed by broader CSP-evaluator-style follow-up to #5", + "reason_not_filed": "duplicate of open issue #16 (which also covers connect-src *, form-action *, and mid-policy wildcards)", "timestamp": "2026-05-26T00:55:00Z" }, { "finding": "checkCSP does not recognize Content-Security-Policy-Report-Only header; report-only deployments are treated as if no CSP exists.", "score": 5.9, - "reason_not_filed": "lower score; needs design discussion on whether report-only should count for points", + "reason_not_filed": "duplicate of open issue #20", "timestamp": "2026-05-26T00:55:00Z" }, { @@ -38,7 +51,7 @@ { "finding": "Referrer-Policy classifies 'no-referrer-when-downgrade' as a strong value (score 10), but it is the historical default and is widely considered weak for cross-origin URL leakage.", "score": 4.2, - "reason_not_filed": "lower score; borderline classification call rather than a clear bug", + "reason_not_filed": "duplicate of open issue #18", "timestamp": "2026-05-26T00:55:00Z" }, { @@ -50,8 +63,32 @@ { "finding": "checkCSP does not flag missing base-uri directive, leaving injection silently bypassing script-src 'self'.", "score": 7.9, - "reason_not_filed": "duplicate of open issue #5", + "reason_not_filed": "duplicate of closed issue #5", "timestamp": "2026-05-26T00:55:00Z" + }, + { + "finding": "PR #2 merge (81f8735) introduced 4 failing tests in test/analyzer.test.ts: branch owl-alpha/add-tests-and-timeout was forked before commit 8d29a8c tightened Permissions-Policy scoring (require all 3 directives), so tests still expect old score-10-for-presence behavior.", + "score": 8.1, + "score_breakdown": { + "user_impact": 8, + "security_severity": 7, + "implementation_effort": 9, + "evidence_quality": 10 + }, + "reason_not_filed": "duplicate of open issue #15", + "timestamp": "2026-05-26T08:12:00Z" + }, + { + "finding": "HSTS: max-age=0 (HSTS revocation/deletion directive) scores 'good' when accompanied by includeSubDomains and preload, because bonus points push total to 15+ despite finding for low max-age.", + "score": 7.0, + "reason_not_filed": "duplicate of open issue #17", + "timestamp": "2026-05-26T08:12:00Z" + }, + { + "finding": "CSP: form-action directive is not checked; default-src 'self' does not restrict form submissions (form-action is a navigation directive with no default-src fallback per CSP3).", + "score": 6.8, + "reason_not_filed": "duplicate of open issue #19", + "timestamp": "2026-05-26T08:12:00Z" } ], "clean_areas": [ @@ -59,6 +96,9 @@ "tsconfig.json strict mode is enabled", "CI workflows (ci.yml, publish.yml, auto-tag.yml) are sound", "X-Content-Type-Options check (rules.ts:93-104) — values correctly validated", - "X-Frame-Options check (rules.ts:73-91) — accepts DENY/SAMEORIGIN and CSP frame-ancestors fallback as expected" + "X-Frame-Options check (rules.ts:73-91) — accepts DENY/SAMEORIGIN and CSP frame-ancestors fallback as expected", + "src/index.ts — exports are correct and FetchOptions type is exported", + "src/analyzer.ts — grade thresholds match README grading scale", + "src/fetch.ts — AbortController timeout is correctly implemented" ] } diff --git a/package-lock.json b/package-lock.json index 65db0c6..72d1b93 100644 --- a/package-lock.json +++ b/package-lock.json @@ -637,9 +637,6 @@ "arm" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -654,9 +651,6 @@ "arm" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -671,9 +665,6 @@ "arm64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -688,9 +679,6 @@ "arm64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -705,9 +693,6 @@ "loong64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -722,9 +707,6 @@ "loong64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -739,9 +721,6 @@ "ppc64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -756,9 +735,6 @@ "ppc64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -773,9 +749,6 @@ "riscv64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -790,9 +763,6 @@ "riscv64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -807,9 +777,6 @@ "s390x" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -824,9 +791,6 @@ "x64" ], "dev": true, - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -841,9 +805,6 @@ "x64" ], "dev": true, - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [