diff --git a/.claude/review-state.json b/.claude/review-state.json
index b21a0b9..ff21009 100644
--- a/.claude/review-state.json
+++ b/.claude/review-state.json
@@ -1,6 +1,6 @@
 {
-  "last_run": "2026-05-26T00:55:00Z",
-  "last_commit": "5083c52b64190381eadbb9f0c13b42e52c358a5a",
+  "last_run": "2026-05-26T05:00:00Z",
+  "last_commit": "81f8735d167b597ed7a7a88cc7f89ba0b440b07d",
   "filed": [
     {
       "issue": 8,
@@ -14,6 +14,19 @@
         "evidence_quality": 10
       },
       "timestamp": "2026-05-26T00:55:00Z"
+    },
+    {
+      "issue": 22,
+      "title": "[REVIEW] Permissions-Policy: `recommendations` always populated — spurious \"Fix:\" output when status is `good`",
+      "finding": "checkPermissionsPolicy in src/rules.ts:141 returns a non-empty recommendations array even when isGood===true (status: 'good'), causing the CLI to show a 'Fix:' line for correctly-configured headers. All other check functions return recommendations:[] for the good path.",
+      "score": 6.50,
+      "score_breakdown": {
+        "user_impact": 7,
+        "security_severity": 3,
+        "implementation_effort": 10,
+        "evidence_quality": 10
+      },
+      "timestamp": "2026-05-26T05:00:00Z"
     }
   ],
   "runner_ups": [
@@ -52,6 +65,12 @@
       "score": 7.9,
       "reason_not_filed": "duplicate of open issue #5",
       "timestamp": "2026-05-26T00:55:00Z"
+    },
+    {
+      "finding": "checkCSP does not detect 'unsafe-hashes' keyword — event-handler attribute injection is not penalized.",
+      "score": 6.05,
+      "reason_not_filed": "lower score than filed issue #22",
+      "timestamp": "2026-05-26T05:00:00Z"
     }
   ],
   "clean_areas": [
@@ -59,6 +78,10 @@
     "tsconfig.json strict mode is enabled",
     "CI workflows (ci.yml, publish.yml, auto-tag.yml) are sound",
     "X-Content-Type-Options check (rules.ts:93-104) — values correctly validated",
-    "X-Frame-Options check (rules.ts:73-91) — accepts DENY/SAMEORIGIN and CSP frame-ancestors fallback as expected"
+    "X-Frame-Options check (rules.ts:73-91) — accepts DENY/SAMEORIGIN and CSP frame-ancestors fallback as expected",
+    "fetch.ts: AbortController timeout implementation is correct (timer cleared in finally block)",
+    "analyzer.ts: grade calculation and percentage rounding are correct",
+    "index.ts: analyze() dispatches correctly between URL-fetch and header-object paths",
+    "cli.ts: exit code gate (D or F → exit 1) matches documented CI-gate behavior"
   ]
 }