Skip to content

Update review state with new findings and clean areas #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
BodenMcHale wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update review state with new findings and clean areas #35

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
42112d4
chore: review state update 2026-05-26
claude May 26, 2026
a92a18e
chore: update package-lock.json after npm install
claude May 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 31 additions & 3 deletions .claude/review-state.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"last_run": "2026-05-26T00:55:00Z",
"last_commit": "5083c52b64190381eadbb9f0c13b42e52c358a5a",
"last_run": "2026-05-26T11:15:00Z",
"last_commit": "81f8735d167b597ed7a7a88cc7f89ba0b440b07d",
"filed": [
{
"issue": 8,
Expand All @@ -14,6 +14,19 @@
"evidence_quality": 10
},
"timestamp": "2026-05-26T00:55:00Z"
},
{
"issue": 24,
"title": "[REVIEW] CLI: getVersion() uses require() in ESM module — --version and --help always display 0.0.0",
"finding": "getVersion() in src/cli.ts:20-26 calls require('../package.json') in an ESM module ('type':'module' + module:NodeNext). require is undefined in ESM, so the catch block always returns '0.0.0'. Confirmed: node dist/cli.js --version outputs 0.0.0 instead of 1.0.1.",
"score": 5.65,
"score_breakdown": {
"user_impact": 6,
"security_severity": 2,
"implementation_effort": 9,
"evidence_quality": 10
},
"timestamp": "2026-05-26T11:15:00Z"
}
],
"runner_ups": [
Expand Down Expand Up @@ -52,13 +65,28 @@
"score": 7.9,
"reason_not_filed": "duplicate of open issue #5",
"timestamp": "2026-05-26T00:55:00Z"
},
{
"finding": "Permissions-Policy tests: 4 assertions in test/analyzer.test.ts fail on HEAD (81f8735) due to merge regression — 3 checkPermissionsPolicy tests expect score 10 from partial fixture; grade boundaries A+ test fixture uses camera=() only (score 5 not 10), giving 85% not 90%.",
"score": 7.4,
"reason_not_filed": "duplicate of open issue #15 (filed same day by earlier review session)",
"timestamp": "2026-05-26T11:15:00Z"
},
{
"finding": "CSP maxScore is 30 but maximum achievable score for any non-empty CSP is 20 (no positive bonus points exist); the 10-point gap inflates the denominator and caps the overall percentage at 90% even for a perfectly configured site.",
"score": 5.55,
"reason_not_filed": "lower score than filed finding; no existing issue found but deprioritized",
"timestamp": "2026-05-26T11:15:00Z"
}
],
"clean_areas": [
"package.json exports/main/types/bin fields are correctly configured",
"tsconfig.json strict mode is enabled",
"CI workflows (ci.yml, publish.yml, auto-tag.yml) are sound",
"X-Content-Type-Options check (rules.ts:93-104) — values correctly validated",
"X-Frame-Options check (rules.ts:73-91) — accepts DENY/SAMEORIGIN and CSP frame-ancestors fallback as expected"
"X-Frame-Options check (rules.ts:73-91) — accepts DENY/SAMEORIGIN and CSP frame-ancestors fallback as expected",
"fetch.ts timeout implementation (AbortController + clearTimeout) is correct",
"analyzer.ts grade boundaries (toGrade) match documented grading scale",
"index.ts analyze() correctly dispatches URL strings vs header objects"
]
}
39 changes: 0 additions & 39 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.