Update triage state with issue #18 security bug analysis

.claude/triage-state.json

@@ -1,6 +1,6 @@
 {
-  "last_run": "2026-05-26T05:18:00Z",
-  "last_commit": "5083c52b64190381eadbb9f0c13b42e52c358a5a",
+  "last_run": "2026-05-26T05:45:00Z",
+  "last_commit": "81f8735d167b597ed7a7a88cc7f89ba0b440b07d",
   "actions": [
     {
       "issue": 4,
@@ -19,13 +19,39 @@
       "action": "B",
       "timestamp": "2026-05-26T05:18:00Z",
       "summary": "User-directed override of 48h skip. Applied priority: high label (kept bug, security). Posted follow-up to existing triage comment with two new points: README.md:63 and src/rules.ts:46 themselves ship the vulnerable policy; proposed base-uri regex rejects valid multi-source restrictions (design choice to surface)."
+    },
+    {
+      "issue": 18,
+      "action": "A",
+      "timestamp": "2026-05-26T05:45:00Z",
+      "summary": "Confirmed no-referrer-when-downgrade in strongValues at src/rules.ts:113 and locked in by test/analyzer.test.ts:245-248; posted fix path (remove from strongValues, update test to expect score:5/warning)."
     }
   ],
   "skipped": [
     {
       "issue": 5,
       "reason": "recently commented (substantive triage comment from BodenMcHale at 2026-05-26T00:35:18Z, ~4h ago, well within 48h skip window)",
       "timestamp": "2026-05-26T04:45:00Z"
+    },
+    {
+      "issue": 17,
+      "reason": "lower priority than #18; #18 selected as top candidate (also security bug, 0 comments vs 1)",
+      "timestamp": "2026-05-26T05:45:00Z"
+    },
+    {
+      "issue": 16,
+      "reason": "lower priority than #18; #18 selected as top candidate",
+      "timestamp": "2026-05-26T05:45:00Z"
+    },
+    {
+      "issue": 8,
+      "reason": "lower priority than #18; #18 selected as top candidate",
+      "timestamp": "2026-05-26T05:45:00Z"
+    },
+    {
+      "issue": 15,
+      "reason": "correctness bug (Priority 2) ranked below #18 security bug (Priority 1)",
+      "timestamp": "2026-05-26T05:45:00Z"
     }
   ]
 }